- Published on
Sentinel hunting queries for users logging in to AzureAD or Exchange Online PowerShell
- Authors
- Name
- Jonathan Devere-Ellery
Here are a couple of quick queries that I wrote to do some searches for non-admin accounts which are attempting to login to AzureAD or Exchange Online PowerShell, and could be an indication of a compromised account.
name: Find all sign-ins to the Azure Active Directory PowerShell app where the UPN does not contain onmicrosoft.com domain
description: |
'All administrator accounts are cloud-only and have UPNs with onmicrosoft.com, so any other logins on Remote
PowerShell are likely coming from a non-admin. These logins could be an indication of an attacker doing
reconnaissance, exfiltration or persistence techniques.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
SigninLogs
| where AppId == "1b730954-1685-4b74-9bfd-dac224a7b894"
| where UserPrincipalName !contains "onmicrosoft.com"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, Status
name: Find all sign-ins to the Exchange Online PowerShell app(s) where the UPN does not contain onmicrosoft.com domain
description: |
'All administrator accounts are cloud-only and have UPNs with onmicrosoft.com, so any other logins on Remote
PowerShell are likely coming from a non-admin. These logins could be an indication of an attacker doing
reconnaissance, exfiltration or persistence techniques.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
SigninLogs
| where AppId in~ (
"fb78d390-0c51-40cd-8e17-fdbfab77341b", // AppDisplayName IS Microsoft Exchange REST API Based Powershell
"a0c73c16-a7e3-4564-9a95-2bdf47383716") // AppDisplayName IS EXO Remote PowerShell
| where UserPrincipalName !contains "onmicrosoft.com"
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, Status