T1199 CrowdStrike LogScale · LogScale

Detect Trusted Relationship in CrowdStrike LogScale

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationships abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. These relationships include IT services contractors, managed security providers, and infrastructure contractors. In Office 365 and Azure AD environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1199 Trusted Relationship
Canonical reference
https://attack.mitre.org/techniques/T1199/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1199 Trusted Relationship Abuse — CrowdStrike Falcon LogScale
// Covers external service account network logons, privileged group grants to external accounts,
// and provisioning of guest/vendor user accounts visible on Falcon-protected endpoints
union(
  {
    // Arm 1: External service/MSP account network logon (LogonType 3) from non-RFC1918 IP
    #event_simpleName = UserLogon
    | LogonType = 3
    | UserName = /(?i)(svc_|_svc|admin|msp|vendor|mgmt|partner|managed)/
    | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|0\.0\.0\.0)/
    | RemoteAddressIP4 != ""
    | eval DetectionCategory = "ExternalServiceAccountNetworkLogon"
    | table([_time, ComputerName, UserName, UserDomain, RemoteAddressIP4, LogonType, DetectionCategory])
  },
  {
    // Arm 2: Privileged group membership granted to external, guest, or vendor account
    #event_simpleName = UserAccountAddedToGroup
    | GroupName = /(?i)(Global Admin|Privileged Role|Exchange Admin|SharePoint Admin|Security Admin|Helpdesk Admin|User Admin)/
    | (
        UserPrincipalName = /#EXT#/
        OR UserName = /(?i)(msp|vendor|partner|svc_|_svc|contractor|extern)/
      )
    | eval DetectionCategory = "ExternalAccountPrivilegedGroupGrant"
    | table([_time, ComputerName, UserName, UserPrincipalName, GroupName, DetectionCategory])
  },
  {
    // Arm 3: New guest, vendor, or service account created matching external provider naming
    #event_simpleName = UserAccountCreated
    | (
        UserPrincipalName = /#EXT#/
        OR UserName = /(?i)(msp|vendor|partner|managed\.service|svc_|_svc|contractor)/
      )
    | eval DetectionCategory = "ExternalOrServiceAccountProvisioned"
    | table([_time, ComputerName, UserName, UserPrincipalName, DetectionCategory])
  }
)
| sort(field=_time, order=desc)
high severity medium confidence

CrowdStrike Falcon LogScale detection for T1199 Trusted Relationship abuse using a union across three Falcon endpoint event types. Arm 1 targets UserLogon events with LogonType=3 (network logon) from non-RFC1918 IPs by accounts matching service provider naming conventions (svc_, msp, vendor, partner) — the classic MSP-as-pivot pattern. Arm 2 targets UserAccountAddedToGroup where a privileged admin group receives an external (#EXT#) or vendor-named account member. Arm 3 targets UserAccountCreated for guest and service account provisioning events. Primarily covers endpoint-visible trust relationship signals; cloud identity plane visibility requires Falcon Identity Protection or CSPM integration.

Data Sources

CrowdStrike Falcon EDR (event_simpleName: UserLogon, UserAccountAddedToGroup, UserAccountCreated)Falcon Identity Protection (for UserPrincipalName and #EXT# enrichment)

Required Tables

#event_simpleName=UserLogon#event_simpleName=UserAccountAddedToGroup#event_simpleName=UserAccountCreated

False Positives & Tuning

  • IT administrators using service account naming conventions (e.g., svc_backup, svc_monitoring) that legitimately perform network logons from cloud-hosted management platforms (Azure Automation, AWS Systems Manager) with public IP addresses outside RFC1918
  • MSP technicians performing authorized remote support sessions via jump hosts that generate UserLogon LogonType=3 events with the MSP's corporate egress IP, which is external to the protected environment
  • Automated IAM provisioning workflows (e.g., Okta Lifecycle Management, Azure AD Connect) that create service or vendor accounts in bulk during approved onboarding windows, matching the vendor naming pattern regex
Download portable Sigma rule (.yml)

Other platforms for T1199

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Delegated Admin Permission Grant via Azure AD PowerShell

    Expected signal: Azure AD AuditLogs: OperationName 'Add delegated permission grant', Result 'success', InitiatedBy.user.userPrincipalName = executing account, TargetResources[0].displayName = 'Microsoft Graph'. Visible in Microsoft 365 compliance portal under Audit search with Activity = 'Add delegated permission grant'.

  2. Test 2Assign Privileged Role to External Guest Account Simulating MSP Onboarding

    Expected signal: Azure AD AuditLogs: OperationName 'Add member to role', Result 'success', TargetResources[1].displayName = 'Global Reader', TargetResources[0].userPrincipalName contains '#EXT#'. Also generates 'Invite external user' event. Both visible in AuditLogs table within 5-10 minutes.

  3. Test 3Simulate MSP Network Logon from External IP Using Service Account

    Expected signal: Windows Security Event ID 4624: LogonType=3 (Network), TargetUserName='svc_msp_test', SourceNetworkAddress=127.0.0.1. Security Event ID 4672 if the account has elevated privileges. Visible in Windows Event Viewer under Security log within seconds of execution.

  4. Test 4Create New Service Principal and Grant API Permissions Simulating Post-Access Backdoor

    Expected signal: Azure AD AuditLogs: OperationName 'Add application', Result 'success', TargetResources[0].displayName = 'df00tech-detection-test-app'. Followed by OperationName 'Update application' with ModifiedProperties showing RequiredResourceAccess including Mail.Read scope. Both events include InitiatedBy.user.userPrincipalName of the executing account.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1199 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1078.004Cloud AccountsT1133External Remote ServicesT1550.001Application Access TokenT1136.003Cloud AccountT1098.001Additional Cloud CredentialsT1098.003Additional Cloud RolesT1087.004Cloud AccountT1114.002Remote Email CollectionT1195Supply Chain Compromise

Same Tactic: Initial Access

Popular Detections