Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Addition of a Temporary Access Pass to a Privileged Account

Back
Idd7feb859-f03e-4e8d-8b21-617be0213b13
RulenameAddition of a Temporary Access Pass to a Privileged Account
DescriptionDetects when a Temporary Access Pass (TAP) is created for a Privileged Account.

A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.

A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.

Review any TAP creations to ensure they were used legitimately.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
SeverityHigh
TacticsPersistence
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml
Version1.0.4
Arm templated7feb859-f03e-4e8d-8b21-617be0213b13.json
Deploy To Azure
let admin_users = (IdentityInfo
  | summarize arg_max(TimeGenerated, *) by AccountUPN
  | where AssignedRoles contains "admin"
  | summarize by tolower(AccountUPN));
  AuditLogs
  | where OperationName =~ "Admin registered security info"
  | where ResultReason =~ "Admin registered temporary access pass method for user"
  | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
  | where tolower(TargetUserPrincipalName) in (admin_users)
  | extend TargetAadUserId = tostring(TargetResources[0].id)
  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
  | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
  | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
  | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
query: |
  let admin_users = (IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where AssignedRoles contains "admin"
    | summarize by tolower(AccountUPN));
    AuditLogs
    | where OperationName =~ "Admin registered security info"
    | where ResultReason =~ "Admin registered temporary access pass method for user"
    | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
    | where tolower(TargetUserPrincipalName) in (admin_users)
    | extend TargetAadUserId = tostring(TargetResources[0].id)
    | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
    | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
    | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
    | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
    | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml
description: |
  'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
    A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
    A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
    Review any TAP creations to ensure they were used legitimately.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'  
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Protection
    - Identity
  author:
    name: Microsoft Security Research
  source:
    kind: Community
queryPeriod: 1d
triggerOperator: gt
tags:
- AADSecOpsGuide
queryFrequency: 1d
version: 1.0.4
id: d7feb859-f03e-4e8d-8b21-617be0213b13
tactics:
- Persistence
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: TargetUserPrincipalName
  - identifier: Name
    columnName: TargetAccountName
  - identifier: UPNSuffix
    columnName: TargetAccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: InitiatingUserPrincipalName
  - identifier: Name
    columnName: InitiatingAccountName
  - identifier: UPNSuffix
    columnName: InitiatingAccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: AadUserId
    columnName: TargetAadUserId
  entityType: Account
- fieldMappings:
  - identifier: AadUserId
    columnName: InitiatingAadUserId
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: InitiatingIPAddress
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
name: Addition of a Temporary Access Pass to a Privileged Account
severity: High
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1078.004
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7feb859-f03e-4e8d-8b21-617be0213b13')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7feb859-f03e-4e8d-8b21-617be0213b13')]",
      "properties": {
        "alertRuleTemplateName": "d7feb859-f03e-4e8d-8b21-617be0213b13",
        "customDetails": null,
        "description": "'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\n  A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\n  A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\n  Review any TAP creations to ensure they were used legitimately.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
        "displayName": "Addition of a Temporary Access Pass to a Privileged Account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "TargetAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "TargetAccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingUserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "InitiatingAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "InitiatingAccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetAadUserId",
                "identifier": "AadUserId"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingAadUserId",
                "identifier": "AadUserId"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "InitiatingIPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml",
        "query": "let admin_users = (IdentityInfo\n  | summarize arg_max(TimeGenerated, *) by AccountUPN\n  | where AssignedRoles contains \"admin\"\n  | summarize by tolower(AccountUPN));\n  AuditLogs\n  | where OperationName =~ \"Admin registered security info\"\n  | where ResultReason =~ \"Admin registered temporary access pass method for user\"\n  | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n  | where tolower(TargetUserPrincipalName) in (admin_users)\n  | extend TargetAadUserId = tostring(TargetResources[0].id)\n  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n  | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\n  | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \"@\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \"@\")[1])\n  | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \"@\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [
          "T1078.004"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}