Identity and Access Management
Azure AD Newly Created Admin Account
Detection overview
The "Azure AD Newly Created Admin Account" detection focuses on identifying the creation of new administrative accounts in Azure Active Directory (Azure AD). This activity is significant because it may indicate an attempt to gain unauthorized administrative privileges within an organization's cloud environment. Such accounts can be used to access sensitive resources, perform administrative tasks, or escalate privileges further.
Triggers
- A user was observed sending multiple emails to internal recipients which were flagged by O365 reputation scanning as likely phishing emails.
Possible Root Causes
- An attacker has compromised a single account and is abusing its access and implicit trust within an organization to attack additional accounts via spearphishing emails.
- Benign emails have been flagged as suspicious based on their content or attachments, which are most frequently associated with invoices sent to distribution lists.
Business Impact
- Spearphishing is one of the predominant ways attackers gain and expand access to credentials within an environment and is particularly effective when utilizing the implicit trust of an internal sender.
- Successful internal spearphishing campaigns result in broad access to a large range of resources within the environment, resulting in a significant increase in overall impact of a compromised account incident within an organization.
Steps to Verify
- Review the details and contents of the email to validate it is malicious.
- Review additional detections and events by the source user which may indicate their account has been compromised.
- Validate the source user is aware of and sent the email that was flagged.
Azure AD Newly Created Admin Account
Possible root causes
Malicious Detection
- An attacker has compromised an account with privileges to create new administrative users.
- Use of stolen credentials or exploiting vulnerabilities to create new admin accounts.
- Insider threat where an employee intentionally creates a new admin account for malicious purposes.
Benign Detection
- Routine administrative operations, such as onboarding new IT staff or changing roles.
- Security assessments or penetration tests where admin accounts are created temporarily.
- Misconfiguration or errors during administrative tasks.
Azure AD Newly Created Admin Account
Example scenarios
Scenario 1: An attacker gains access to a compromised user account with privileged access in Azure AD. The attacker creates a new admin account to establish persistence and escalate privileges, enabling further exploitation of the cloud environment. This detection is triggered by the creation of the new admin account.
Scenario 2: During a scheduled penetration test, the security team creates new admin accounts to test the organization's response capabilities. The detection is triggered, and the activity is verified as part of the assessment.
Azure AD Newly Created Admin Account
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Privilege Escalation
Unauthorized admin accounts can lead to full control over the Azure environment.
Operational Disruption
Malicious admin accounts can make unauthorized changes, disrupt services, and escalate attacks.
Data Breach
Potential access to sensitive data and resources within Azure AD and associated services.
Azure AD Newly Created Admin Account
Steps to investigate
Review Account Creation Logs
- Check Azure AD logs for the details of the new admin account creation, including the timestamp, source IP, and the user who created the account.
- Identify any unusual patterns, such as creation during non-business hours or from unfamiliar locations.
Correlate with User Activity
- Verify if the user who created the admin account has the necessary privileges and if their actions align with their role.
- Check for recent changes in the user’s behavior or login patterns.
Examine Role Assignments
- Review the roles assigned to the new admin account and verify if they are justified.
- Check if the account creation was part of a documented administrative task or project.
Conduct a Threat Hunt
- Search for other indicators of compromise or malicious activity associated with the same user or IP address.
- Verify if the detected activity is part of a scheduled security assessment or penetration test.
Azure AD Newly Created Admin Account
MITRE ATT&CK techniques covered
Azure AD Newly Created Admin Account
Related detections
FAQs
What is an Azure AD Newly Created Admin Account?
This refers to the creation of a new user account with administrative privileges within Azure Active Directory, which could indicate potential unauthorized access or privilege escalation attempts.
How can I detect newly created admin accounts in Azure AD?
Monitoring Azure AD logs for account creation activities, specifically those involving administrative roles, and setting up alerts for unusual patterns can help detect new admin accounts.
What are the common signs of unauthorized admin account creation?
Signs include account creation during non-business hours, from unfamiliar IP addresses, by users who do not typically perform administrative tasks, or without proper documentation.
Why is the creation of a new admin account a significant threat?
Unauthorized admin accounts can lead to full control over the Azure environment, allowing attackers to access sensitive data, disrupt operations, and escalate their privileges further.
Can legitimate activities trigger the detection of new admin accounts?
Yes, routine administrative tasks, security assessments, or role changes can trigger this detection. It's important to verify the context of the activity.
What steps should I take if I detect a newly created admin account?
Investigate the source of the account creation, verify if it was authorized, check for other signs of malicious activity, and take steps to secure any compromised accounts.
How does Vectra AI detect newly created admin accounts in Azure AD?
Vectra AI uses advanced AI algorithms to analyze Azure AD activity and identify patterns indicative of new admin account creation, correlating these with other suspicious behaviors.
What tools can help verify the presence of unauthorized admin accounts?
Tools like Azure AD Audit Logs, security information and event management (SIEM) systems, and specialized monitoring solutions can help identify unauthorized admin accounts.
What is the business impact of an unauthorized admin account?
The primary risks are privilege escalation, data breaches, operational disruptions, and compliance violations, which can lead to significant damage to the organization.
How can I prevent unauthorized creation of admin accounts?
Implement strict access controls, regularly review admin privileges, monitor AD activity, use multi-factor authentication, and conduct regular audits of user activity.