Published on

Sentinel hunting queries for users logging in to AzureAD or Exchange Online PowerShell

Authors
  • avatar
    Name
    Jonathan Devere-Ellery
    Twitter

Here are a couple of quick queries that I wrote to do some searches for non-admin accounts which are attempting to login to AzureAD or Exchange Online PowerShell, and could be an indication of a compromised account.

name: Find all sign-ins to the Azure Active Directory PowerShell app where the UPN does not contain onmicrosoft.com domain
description: |
  'All administrator accounts are cloud-only and have UPNs with onmicrosoft.com, so any other logins on Remote 
  PowerShell are likely coming from a non-admin. These logins could be an indication of an attacker doing 
  reconnaissance, exfiltration or persistence techniques.'
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
    SigninLogs
    | where AppId == "1b730954-1685-4b74-9bfd-dac224a7b894" 
    | where UserPrincipalName !contains "onmicrosoft.com"
    | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, Status
AAD App Hunting
name: Find all sign-ins to the Exchange Online PowerShell app(s) where the UPN does not contain onmicrosoft.com domain
description: |
  'All administrator accounts are cloud-only and have UPNs with onmicrosoft.com, so any other logins on Remote 
  PowerShell are likely coming from a non-admin. These logins could be an indication of an attacker doing 
  reconnaissance, exfiltration or persistence techniques.'
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
    SigninLogs
    | where AppId in~ (
            "fb78d390-0c51-40cd-8e17-fdbfab77341b", // AppDisplayName IS Microsoft Exchange REST API Based Powershell
            "a0c73c16-a7e3-4564-9a95-2bdf47383716") // AppDisplayName IS EXO Remote PowerShell
    | where UserPrincipalName !contains "onmicrosoft.com"
    | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, Status
EXO App Hunting