From b2525965b7e72f9628361b4034078569797d7019 Mon Sep 17 00:00:00 2001 From: setprice2245 <44929995+setprice2245@users.noreply.github.com> Date: Tue, 19 Jan 2021 11:18:42 -0500 Subject: [PATCH 1/2] Create AccountAddedtoPrivilegedPIMGroup --- .../AccountAddedtoPrivilegedPIMGroup | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup diff --git a/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup new file mode 100644 index 0000000000..5d4a651361 --- /dev/null +++ b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup @@ -0,0 +1,29 @@ +name: AccountAddedtoPrivilegedPIMGroup +description: | + 'Identifies accounts that have been added to a PIM managed privileged group' +requiredDataConnectors: + - connectorId: Azure Active Directory + dataTypes: + - AuditLogs +tactics: + - Persistence + - PrivilegeEscalation +relevantTechniques: + - T1098 + - T1548 +query: | +AuditLogs +| where TimeGenerated > ago(1d) +| where ActivityDisplayName =~ "Add eligible member to role in PIM requested (timebound)" +| where AADOperationType =~ "CreateRequestEligibleRole" +| where TargetResources contains "-PRIV" +or TargetResources contains "Administrator" +or TargetResources contains "Security" +| extend BuiltinGroup= tostring(parse_json(TargetResources[0].displayName)) +| extend CustomGroup= tostring(parse_json(TargetResources[3].displayName)) +| extend TargetAccount_ = tostring(parse_json(TargetResources[2].displayName)) +| extend Initiatedby = tostring(parse_json(Identity)) +| project TimeGenerated,Initiatedby,TargetAccount_,BuiltinGroup,CustomGroup,ActivityDisplayName +| sort by TimeGenerated desc + + From 97f57087e2b800c4cff56fdf7bcf143f6bb148f2 Mon Sep 17 00:00:00 2001 From: Shain <45466083+shainw@users.noreply.github.com> Date: Sun, 21 Nov 2021 11:46:45 -0800 Subject: [PATCH 2/2] Update and rename AccountAddedtoPrivilegedPIMGroup to AccountAddedtoPrivilegedPIMGroup.yaml Added id: GUID Fixed name Removed timeframe per new hunting query submission guidelines. Replace contains with has_any - confirmed it matches properly thru testing. The recommendation of mv-expand usage created more challenges with showing the data properly, so used what was already included as it made more sense from a results perspective. Cleaned them up a bit. Added in entity mappings. --- .../AccountAddedtoPrivilegedPIMGroup | 29 --------------- .../AccountAddedtoPrivilegedPIMGroup.yaml | 36 +++++++++++++++++++ 2 files changed, 36 insertions(+), 29 deletions(-) delete mode 100644 Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup create mode 100644 Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml diff --git a/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup deleted file mode 100644 index 5d4a651361..0000000000 --- a/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup +++ /dev/null @@ -1,29 +0,0 @@ -name: AccountAddedtoPrivilegedPIMGroup -description: | - 'Identifies accounts that have been added to a PIM managed privileged group' -requiredDataConnectors: - - connectorId: Azure Active Directory - dataTypes: - - AuditLogs -tactics: - - Persistence - - PrivilegeEscalation -relevantTechniques: - - T1098 - - T1548 -query: | -AuditLogs -| where TimeGenerated > ago(1d) -| where ActivityDisplayName =~ "Add eligible member to role in PIM requested (timebound)" -| where AADOperationType =~ "CreateRequestEligibleRole" -| where TargetResources contains "-PRIV" -or TargetResources contains "Administrator" -or TargetResources contains "Security" -| extend BuiltinGroup= tostring(parse_json(TargetResources[0].displayName)) -| extend CustomGroup= tostring(parse_json(TargetResources[3].displayName)) -| extend TargetAccount_ = tostring(parse_json(TargetResources[2].displayName)) -| extend Initiatedby = tostring(parse_json(Identity)) -| project TimeGenerated,Initiatedby,TargetAccount_,BuiltinGroup,CustomGroup,ActivityDisplayName -| sort by TimeGenerated desc - - diff --git a/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml new file mode 100644 index 0000000000..d5a96e1ae0 --- /dev/null +++ b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup.yaml @@ -0,0 +1,36 @@ +id: 67ca982d-9d61-48cb-a409-acf029ed7311 +name: Account Added to Privileged PIM Group +description: | + 'Identifies accounts that have been added to a PIM managed privileged group' +requiredDataConnectors: + - connectorId: Azure Active Directory + dataTypes: + - AuditLogs +tactics: + - Persistence + - PrivilegeEscalation +relevantTechniques: + - T1098 + - T1548 +query: | + AuditLogs + | where ActivityDisplayName =~ "Add eligible member to role in PIM requested (timebound)" + | where AADOperationType =~ "CreateRequestEligibleRole" + | where TargetResources has_any ("-PRIV", "Administrator", "Security") + | extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName)) + | extend CustomGroup = tostring(parse_json(TargetResources[3].displayName)) + | extend TargetAccount = tostring(parse_json(TargetResources[2].displayName)) + | extend Initiatedby = Identity + | project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id + | sort by TimeGenerated desc +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: Initiatedby + - identifier: FullName + columnName: TargetAccount + - entityType: Azure resource + fieldMappings: + - identifier: ResourceId + columnName: ResourceId