Skip to content

AZT501.1 - Account Manipulation: User Account Manipulation#

An adverary may manipulate a user account to maintain access in an Azure tenant

Resource

Azure Active Directory

Actions

  • microsoft.directory/users/password/update
  • microsoft.directory/users/enable
  • microsoft.directory/users/restore

Examples

Update-AzADUser

az ad user update

PATCH https://graph.microsoft.com/v1.0/users/{id}

directorylogs

Detections

Logs#

Data Source Operation Name Action Log Provider
Azure Active Directory Reset password microsoft.directory/users/password/update AuditLogs
Azure Active Directory Enable account microsoft.directory/users/enable AuditLogs
Azure Active Directory Update user microsoft.directory/users/password/update AuditLogs

Queries#

Platform Query
Log Analytics AuditLogs | where OperationName =='Reset user password' or OperationName =='Enable account' or OperationName =='Update user'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal