An adversary may be using the Entra ID Connect Sync account to access Azure resources under the guise of legitimate administrative activity. SOC teams should proactively hunt for this behavior as it could indicate unauthorized access or lateral movement by an attacker exploiting compromised credentials.
KQL Query
BehaviorAnalytics
// User modification is expected from this account so focus on logons
| where ActivityType =~ "LogOn"
| where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
// Filter out this expected activity
| where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
| where InvestigationPriority > 0
| extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]
id: 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6
name: Suspicious Sign In by Entra ID Connect Sync Account
description: |
'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.
This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be
reviewed to ensure that the log in came was from a legitimate source.'
severity: Medium
requiredDataConnectors:
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- InitialAccess
relevantTechniques:
- T1078.004
query: |
BehaviorAnalytics
// User modification is expected from this account so focus on logons
| where ActivityType =~ "LogOn"
| where UserName startswith "Sync_" and UsersInsights.AccountDisplayName =~ "On-Premises Directory Synchronization Service Account"
// Filter out this expected activity
| where ActivityInsights.App !~ "Microsoft Azure Active Directory Connect"
| where InvestigationPriority > 0
| extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIPAddress
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DestinationDevice
alertDetailsOverride:
alertDisplayNameFormat: Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}
alertDescriptionFormat: |
This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.
This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be
reviewed to ensure that the log in came was from a legitimate source.
In this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Community
support:
tier: Community
categories:
domains: [ "Identity", "Security - Threat Protection" ]| Sentinel Table | Notes |
|---|---|
BehaviorAnalytics | Ensure this data connector is enabled |
Scenario: Scheduled Sync Job Execution
Description: The Entra ID Connect Sync account is used to run scheduled synchronization jobs that update user attributes or passwords.
Filter/Exclusion: where ActivityDisplayName contains "Sync" or ActivityDisplayName contains "Password Sync"
Scenario: Admin Task to Reset Passwords via Connect Sync
Description: An administrator may use the Connect Sync account to reset passwords for users via the Entra ID admin portal or PowerShell.
Filter/Exclusion: where ActivityDisplayName contains "Password Reset" or UserAgent contains "Microsoft.Azure.ActiveDirectory.PasswordReset"
Scenario: Automated User Provisioning via Connect Sync
Description: The Connect Sync account may be used to provision new users or update user attributes in Azure AD through automated scripts or tools like Azure AD Connect.
Filter/Exclusion: where ActivityDisplayName contains "Provisioning" or UserAgent contains "AzureADConnect"
Scenario: System Maintenance or Health Check by Connect Sync
Description: The Connect Sync account may perform system health checks or maintenance tasks that involve sign-ins to Azure AD.
Filter/Exclusion: where ActivityDisplayName contains "Health Check" or UserAgent contains "System Maintenance"
Scenario: Integration with Third-Party Identity Providers
Description: The Connect Sync account may interact with third-party identity providers (e.g., Okta, Ping Identity) to synchronize user identities, which can result in sign-ins that appear anomalous.
Filter/Exclusion: where UserAgent contains "Okta" or UserAgent contains "PingIdentity"