legitimate it administrators commonly use the azure cli for managing user accounts. filter alerts to exclude approved administrative or automated user management activities.

Techniques

Sample rules

Windows Entra User Management Via Azure CLI

source: splunk
technicques:
- T1136
- T1078.004
- T1098

Description

This analytic detects the usage of the Azure CLI to interact with user accounts such as creating or deleting a user. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected. While legitimate administrative use is expected, anomalous execution patterns, unexpected users, or unusual parent processes should be treated as potential indicators of compromise and investigated promptly.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process IN (
    "*az.cmd*",
    "*azure.cli*"
)
Processes.process="*ad *"
Processes.process="* user*"

by Processes.process Processes.vendor_product Processes.user_id
   Processes.process_hash Processes.parent_process_name
   Processes.parent_process_exec Processes.action Processes.dest
   Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name
   Processes.parent_process Processes.parent_process_path
   Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id
   Processes.user Processes.process_name


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_entra_user_management_via_azure_cli_filter`