AZT201.1 - User Account

By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.

Resource

Azure Active Directory

Actions

N/A

Examples

Az PowerShell (Secret)Azure CLI

Connect-AzAccount

az login -u <username> -p <password>

Detections

Logs

Data Source	Application	Resource	Log Location
Azure Active Directory	Azure Portal	Windows Azure Service Management API	Sign-in Logs
Azure Active Directory	Microsoft Azure PowerShell	Windows Azure Service Management API	Sign-in Logs

Queries

Log Analytics

SigninLogs|where Status =="{\"errorCode\":0}" and ResourceDisplayName=="Windows Azure Service Management API"

Detection Screenshots

Portal Sign-inPowerShell Sign-in

Additional Resources

• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins