Detect Cloud Accounts in Microsoft Sentinel
Valid cloud accounts may be leveraged by adversaries to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion in cloud environments. Adversaries may obtain cloud credentials through phishing, brute force, credential theft from endpoints, or by compromising on-premises identity infrastructure federated with cloud services. Once in possession of valid credentials, adversaries can authenticate to cloud management planes (Azure, AWS, GCP), SaaS applications (Microsoft 365, Google Workspace), or identity providers (Entra ID, Okta) and operate as legitimate users. Techniques include abusing service principals, managed identities, OAuth tokens, and API keys to maintain persistence and move laterally across cloud resources.
MITRE ATT&CK
- Technique
- T1078 Valid Accounts
- Sub-technique
- T1078.004 Cloud Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1078/004/
KQL Detection Query
// T1078.004 - Cloud Accounts: Detect suspicious cloud account usage patterns
// Covers: impossible travel, new country logins, legacy auth, service principal abuse, and suspicious MFA patterns
let LookbackPeriod = 24h;
let SuspiciousCountries = dynamic(["KP", "IR", "RU", "CN", "BY"]);
let LegacyAuthClients = dynamic([
"IMAP", "POP3", "SMTP", "BasicAuth", "ExchangeActiveSync",
"AutoDiscover", "Exchange Web Services", "Office Protocol",
"Authenticated SMTP", "Outlook Anywhere"
]);
// Section 1: Suspicious sign-ins from unusual locations or legacy auth
let SuspiciousSignins = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType == 0 // Successful sign-in
| extend Country = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| extend ClientApp = tostring(ClientAppUsed)
| extend IsLegacyAuth = ClientApp has_any (LegacyAuthClients)
| extend IsSuspiciousCountry = Country in (SuspiciousCountries)
| extend IsHighRisk = RiskLevelDuringSignIn in ("high", "medium")
| extend IsMFANotPerformed = AuthenticationRequirement == "singleFactorAuthentication" and ConditionalAccessStatus != "notApplied"
| where IsLegacyAuth or IsSuspiciousCountry or IsHighRisk or IsMFANotPerformed
| project TimeGenerated, UserPrincipalName, UserId, AppDisplayName, IPAddress,
Country, City, ClientApp, IsLegacyAuth, IsSuspiciousCountry,
IsHighRisk, IsMFANotPerformed, RiskLevelDuringSignIn,
ConditionalAccessStatus, UserAgent, CorrelationId;
// Section 2: Service Principal sign-ins outside expected patterns
let SPSignins = AADServicePrincipalSignInLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType == 0
| summarize SigninCount = count(), UniqueIPs = dcount(IPAddress), IPList = make_set(IPAddress, 10)
by ServicePrincipalName, ServicePrincipalId, AppId, bin(TimeGenerated, 1h)
| where UniqueIPs > 3 // Service principals should use consistent IPs
| extend AlertReason = "Service principal authenticating from multiple IPs"
| project TimeGenerated, ServicePrincipalName, ServicePrincipalId, AppId,
SigninCount, UniqueIPs, IPList, AlertReason;
// Output suspicious user sign-ins
SuspiciousSignins
| sort by TimeGenerated descDetects suspicious cloud account usage in Microsoft Entra ID (Azure AD) by monitoring sign-in logs for multiple risk indicators: sign-ins from high-risk countries, legacy authentication protocol usage (which bypasses MFA), sign-ins flagged as high or medium risk by Identity Protection, MFA not performed when required, and service principals authenticating from an unusual number of source IPs. Covers both interactive user sign-ins (SigninLogs) and service principal sign-ins (AADServicePrincipalSignInLogs). Analysts should run both sections independently or union results for a combined view.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate business travelers or remote workers authenticating from foreign countries or new locations for the first time
- Legacy applications or shared mailbox access that legitimately use basic authentication protocols not yet migrated to modern auth
- Service principals deployed across multi-region infrastructure may authenticate from multiple IP addresses legitimately
- Helpdesk or break-glass accounts accessed from admin workstations in unusual locations during incident response
- VPN or proxy usage causing sign-ins to appear from unexpected geographic locations
Other platforms for T1078.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure CLI Authentication with Compromised Credentials
Expected signal: Entra ID SigninLogs: successful interactive sign-in with AppDisplayName='Microsoft Azure CLI', DeviceDetail showing unregistered device, IPAddress of test machine. AuditLogs may show directory read operations. Risk signals may trigger if this is a new location or device for the account.
- Test 2Service Principal Authentication and Enumeration
Expected signal: AADServicePrincipalSignInLogs: service principal authentication event with IPAddress, ResourceDisplayName, and AppId. AuditLogs: directory read operations. If run from a new IP, this will appear as an anomalous source for the service principal.
- Test 3Legacy Authentication Simulation via SMTP Basic Auth
Expected signal: Entra ID SigninLogs: sign-in attempt with ClientAppUsed='Authenticated SMTP' or 'SMTP Auth', Protocol='SMTP', IsInteractive=false. The sign-in will be flagged as legacy authentication. If successful, ResultType=0; if legacy auth is blocked by CA policy, ResultType will reflect the block.
- Test 4Impossible Travel Simulation via Azure Resource Manager API
Expected signal: Two sign-in events in SigninLogs from different IP addresses and geolocations for the same account within a short time window. Entra ID Identity Protection may generate an 'Impossible travel' or 'Unfamiliar sign-in properties' risk detection (AADUserRiskEvents). The second sign-in will have a different CountryOrRegion in LocationDetails.
- Test 5Add Credentials to Existing Service Principal (Persistence)
Expected signal: AuditLogs: OperationName='Add service principal credentials' or 'Update application – Certificates and secrets management' with the initiating user's UPN, source IP, and target service principal name and ID. This is the exact pattern hunted by the Service Principal Credential Addition hunting query.
References (12)
- https://attack.mitre.org/techniques/T1078/004/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins
- https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection
- https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/
- https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a
- https://www.mandiant.com/resources/blog/apt29-microsoft-365
- https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in
- https://github.com/BloodHoundAD/ROADtools
- https://github.com/RhinoSecurityLabs/pacu
- https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication
- https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
- https://microsoft.github.io/Microsoft-365-Defender-Hunting-Queries/
Unlock Pro Content
Get the full detection package for T1078.004 including response playbook, investigation guide, and atomic red team tests.