Addition of a Temporary Access Pass to a Privileged Account
| Id | d7feb859-f03e-4e8d-8b21-617be0213b13 |
| Rulename | Addition of a Temporary Access Pass to a Privileged Account |
| Description | Detects when a Temporary Access Pass (TAP) is created for a Privileged Account. A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello. A threat actor could use a TAP to register a new authentication method to maintain persistance to an account. Review any TAP creations to ensure they were used legitimately. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts |
| Severity | High |
| Tactics | Persistence |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml |
| Version | 1.0.4 |
| Arm template | d7feb859-f03e-4e8d-8b21-617be0213b13.json |
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where OperationName =~ "Admin registered security info"
| where ResultReason =~ "Admin registered temporary access pass method for user"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (admin_users)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
queryPeriod: 1d
triggerThreshold: 0
queryFrequency: 1d
id: d7feb859-f03e-4e8d-8b21-617be0213b13
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml
severity: High
metadata:
categories:
domains:
- Security - Threat Protection
- Identity
author:
name: Microsoft Security Research
support:
tier: Community
source:
kind: Community
entityMappings:
- entityType: Account
fieldMappings:
- columnName: TargetUserPrincipalName
identifier: FullName
- columnName: TargetAccountName
identifier: Name
- columnName: TargetAccountUPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: InitiatingAccountName
identifier: Name
- columnName: InitiatingAccountUPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: TargetAadUserId
identifier: AadUserId
- entityType: Account
fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
- entityType: IP
fieldMappings:
- columnName: InitiatingIPAddress
identifier: Address
relevantTechniques:
- T1078.004
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
tags:
- AADSecOpsGuide
name: Addition of a Temporary Access Pass to a Privileged Account
query: |
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where OperationName =~ "Admin registered security info"
| where ResultReason =~ "Admin registered temporary access pass method for user"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (admin_users)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
tactics:
- Persistence
triggerOperator: gt
kind: Scheduled
version: 1.0.4
description: |
'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
Review any TAP creations to ensure they were used legitimately.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7feb859-f03e-4e8d-8b21-617be0213b13')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7feb859-f03e-4e8d-8b21-617be0213b13')]",
"properties": {
"alertRuleTemplateName": "d7feb859-f03e-4e8d-8b21-617be0213b13",
"customDetails": null,
"description": "'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\n Review any TAP creations to ensure they were used legitimately.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
"displayName": "Addition of a Temporary Access Pass to a Privileged Account",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIPAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml",
"query": "let admin_users = (IdentityInfo\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | where AssignedRoles contains \"admin\"\n | summarize by tolower(AccountUPN));\n AuditLogs\n | where OperationName =~ \"Admin registered security info\"\n | where ResultReason =~ \"Admin registered temporary access pass method for user\"\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | where tolower(TargetUserPrincipalName) in (admin_users)\n | extend TargetAadUserId = tostring(TargetResources[0].id)\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \"@\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \"@\")[1])\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \"@\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \"@\")[1])\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"subTechniques": [
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}