| Technique ID | Title | Link |
|---|---|---|
| T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ |
| T1586.002 | Compromise Accounts: Email Accounts | https://attack.mitre.org/techniques/T1586/002/ |
By default, the Microsoft Defender for Identity sensor installed on a domain controller will impersonate the LocalSystem account of the domain controller and perform the attack disruption actions on the account.
Use the below query to identify Active Directory accounts disabled by a domain controller.
- Automatic attack disruption in Microsoft 365 Defender
- Remediation actions in Microsoft Defender for Identity
- Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR
- [Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR])
- How to protect against BEC & AiTM attacks via Microsoft 365 Defender | Automatic Attack Disruption
- How to use Automatic Attack Disruption in Microsoft 365 Defender BEC, AiTM & HumOR
Show disabled accounts where the actor was a domain controller - Active Directory logs
let AllDomainControllers =
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| extend DCDevicename = tostring(split(DeviceName,".")[0])
| distinct DCDevicename;
IdentityDirectoryEvents
| where TimeGenerated > ago(190d)
| where ActionType == "Account disabled"
| extend ACTOR_DEVICE = tolower(tostring(AdditionalFields.["ACTOR.DEVICE"]))
| where isnotempty( ACTOR_DEVICE)
| where ACTOR_DEVICE in (AllDomainControllers)
| project TimeGenerated, TargetAccountDisplayName, ACTOR_DEVICEWhen the Account is synched with Entra ID, use the following logs to see the activities in the Entra ID Audit log.
AuditLogs
| where OperationName == 'Disable account' //or OperationName == 'Update user'
| mv-expand TargetResources
| extend Actor_userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend Target_userPrincipalName = tostring(TargetResources.userPrincipalName)
| mv-apply Properties = TargetResources.modifiedProperties on (
project Name = Properties.displayName, AccountEnabled = (Properties.newValue)
| where Name == 'AccountEnabled'
)
| mv-apply Action = TargetResources.modifiedProperties on ( project Name = Action.displayName, ActionClientName = Action.newValue
| where Name == 'Action Client Name')
| project TimeGenerated, OperationName,Actor_userPrincipalName, Target_userPrincipalName, AccountEnabled, ActionClientNameGet the remediation actions from Defender for Identity
let Identities = (IdentityInfo
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by AccountSID
| project AccountSID, AccountDisplayName, AccountName, AccountUPN);
CloudAppEvents
| extend WorkLoad = tostring(parse_json(RawEventData).Workload)
| where WorkLoad == "MicrosoftDefenderForIdentity" and ActionType == "RemediationActionAdded"
| extend ResultDescription = tostring(RawEventData.ResultDescription)
| extend ResultStatus = tostring(RawEventData.ResultStatus)
| extend info = split(ResultDescription,"AddRemediationActionsAsync")[1]
| parse-kv info as (InitiatedByAccountAadUserId:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv info as (ActionType:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv info as (AccountSid:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| extend ActorName = tostring(ActivityObjects[0].Name)
| project TimeGenerated, InitiatedByAccountAadUserId,ActorName, ActionType,ResultStatus, AccountSid
| join kind=leftouter Identities
on $left. AccountSid == $right. AccountSID