LoFP / while not common, administrators may enable accounts and reset their passwords for legitimate reasons. filter as needed.

Techniques

• T1098

Sample rules

Azure AD User Enabled And Password Reset

• source: splunk
• technicques:
  • T1098

Description

The following analytic detects an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. It uses Azure Active Directory events to identify this sequence of actions. This activity is significant because it may indicate an adversary with administrative access attempting to establish a backdoor identity within the Azure AD tenant. If confirmed malicious, this could allow the attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information from the environment.

Detection logic

`azure_monitor_aad`  (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user") 
| transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m 
| rename properties.* as * 
| rename initiatedBy.user.userPrincipalName as initiatedBy 
| stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_user_enabled_and_password_reset_filter`