AZT501.1 - Account Manipulation: User Account Manipulation#
An adverary may manipulate a user account to maintain access in an Azure tenant
Resource
Azure Active Directory
Actions
- microsoft.directory/users/password/update
- microsoft.directory/users/enable
- microsoft.directory/users/restore
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Azure Active Directory | Reset password | microsoft.directory/users/password/update | AzureAD Audit Logs |
Azure Active Directory | Enable account | microsoft.directory/users/enable | AzureAD Audit Logs |
Azure Active Directory | Update user | microsoft.directory/users/password/update | AzureAD Audit Logs |
Queries#
AuditLogs
|where OperationName =="Reset password" or OperationName =="Enable account" or OperationName =="Update user"