T1078.002 Domain Accounts Mappings

When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial. The temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).

Response Type: Containment Supports risk detection responses such as blocking a user's access and enforcing MFA. These responses contain the impact of this sub-technique but do not eradicate it (by forcing a password reset).

The following Azure Sentinel Hunting queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Suspicious Windows Login outside normal hours", "User account added or removed from security group by an unauthorized user", "User Account added to Built in Domain Local or Global Group", "User Login IP Address Teleportation", "User made Owner of multiple teams", "Tracking Privileged Account Rare Activity", "New Admin account activity which was not seen historically", "New client running queries", "New users running queries", "Non-owner mailbox login activity", "Powershell or non-browser mailbox login activity", "Rare User Agent strings", "Same IP address with multiple csUserAgent" which may indicate that an account is being used from a new device, "Rare domains seen in Cloud Logs" when accounts from uncommon domains access or attempt to access cloud resources, "Same User - Successful logon for a given App and failure on another App within 1m and low distribution", "Hosts with new logons", "Inactive or new account signins", "Long lookback User Account Created and Deleted within 10mins", "Anomalous Geo Location Logon", and "Anomalous Sign-in Activity". The following Azure Sentinel Analytics queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Anomalous User Agent connection attempt", "New UserAgent observed in last 24 hours" which may indicate that an account is being used from a new device, "Anomalous sign-in location by user account and authenticating application", "Anomalous login followed by Teams action", "GitHub Signin Burst from Multiple Locations", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "Failed Host logons but success logon to AzureAD", and "Anomalous RDP Login Detections".

This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user".

This control's "Remove dormant accounts from sensitive groups" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant. Because these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal.