T1650

Acquire Access

Resource Development Last updated:

This detection identifies indicators that adversaries have leveraged purchased or brokered access to compromise an environment — the operational signature left when Initial Access Broker (IAB)-sold footholds are activated. Because T1650 itself is a pre-compromise preparation activity, detection focuses on anomalous authentication patterns consistent with a new threat actor using previously established access: first-use logons from novel geolocations for established accounts, high-risk sign-ins immediately followed by reconnaissance activity, web shell process ancestry patterns indicative of broker-planted backdoors, and external remote service sessions from IPs with no prior organizational history. Correlating Azure AD risk signals with unusual lateral movement timing provides the strongest detection fidelity.

What is T1650 Acquire Access?

Acquire Access (T1650) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.

This page provides production-ready detection logic for Acquire Access, covering the data sources and telemetry it touches: Azure Active Directory, Microsoft Entra ID Protection. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1650 Acquire Access
Canonical reference
https://attack.mitre.org/techniques/T1650/
Microsoft Sentinel / Defender
kusto 
// T1650 — Acquire Access: Detect activated IAB-sold footholds via anomalous first-use authentication
let lookbackDays = 30d;
let alertWindowHours = 24h;
// Build baseline of known IPs and locations per user over past 30 days
let historicalBaseline = AADSignInLogs
| where TimeGenerated between (ago(lookbackDays) .. ago(alertWindowHours))
| where ResultType == 0
| summarize
    HistoricalIPs = make_set(IPAddress, 500),
    HistoricalCountries = make_set(Location, 100),
    AccountAgeInDays = count()
    by UserPrincipalName;
// Identify recent high-risk or anomalous successful sign-ins
let recentHighRiskSignins = AADSignInLogs
| where TimeGenerated > ago(alertWindowHours)
| where ResultType == 0
| where RiskLevelDuringSignIn in ("high", "medium")
    or RiskState in ("atRisk", "confirmedCompromised")
    or RiskDetail has_any ("unfamiliarFeatures", "anonymizedIPAddress", "maliciousIPAddress", "impossibleTravel", "newCountry")
| project
    TimeGenerated,
    UserPrincipalName,
    IPAddress,
    Location,
    AppDisplayName,
    DeviceDetail = tostring(DeviceDetail),
    RiskLevelDuringSignIn,
    RiskState,
    RiskDetail = tostring(RiskDetail),
    AuthenticationRequirement,
    ConditionalAccessStatus,
    CorrelationId;
// Join to baseline — flag new-country/new-IP access for established accounts
recentHighRiskSignins
| join kind=leftouter historicalBaseline on UserPrincipalName
| where AccountAgeInDays > 7 // Established account, not brand new
| where not(IPAddress in (HistoricalIPs))
| where not(Location in (HistoricalCountries))
| extend
    RiskScore = case(
        RiskLevelDuringSignIn == "high", 3,
        RiskLevelDuringSignIn == "medium", 2,
        1
    ),
    NewGeolocation = strcat("New country/IP for this account: ", Location, " / ", IPAddress),
    BrokerIndicators = case(
        RiskDetail has "anonymizedIPAddress", "TOR/VPN exit node — common IAB delivery mechanism",
        RiskDetail has "maliciousIPAddress", "Known malicious IP — potential broker infrastructure",
        RiskDetail has "impossibleTravel", "Impossible travel — credential handoff to remote threat actor",
        RiskDetail has "newCountry", "New country logon — new actor using acquired creds",
        "High-risk sign-in from unknown location"
    )
| where RiskScore >= 2
| project
    TimeGenerated,
    UserPrincipalName,
    IPAddress,
    Location,
    AppDisplayName,
    RiskLevelDuringSignIn,
    RiskState,
    BrokerIndicators,
    NewGeolocation,
    ConditionalAccessStatus,
    CorrelationId
| order by TimeGenerated desc

Detects activation of IAB-sold access by correlating Azure AD Identity Protection risk signals (impossible travel, anonymous IP, new country) with first-appearance logons from IPs and geolocations never previously seen for established accounts. This pattern is the operational signature of a purchased credential or backdoor being activated by a new threat actor.

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID Protection

Required Tables

AADSignInLogs

False Positives

  • Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
  • Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
  • IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions
  • New employee first logon from home network or coworking space not in organizational baseline
  • Mergers/acquisitions onboarding new users from previously unseen IP ranges

Sigma rule & cross-platform mapping

The detection logic for Acquire Access (T1650) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1650 Sigma rules on detection.fyi

Platform-specific guides for T1650

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate IAB Credential Use — New Geolocation Authentication via VPN Exit Node

    Expected signal: AADSignInLogs entry with ResultType=0, RiskLevelDuringSignIn='medium' or 'high', RiskDetail containing 'unfamiliarFeatures' or 'anonymizedIPAddress' if using VPN. Sign-in should appear in Identity Protection risk detections.

  2. Test 2Web Shell Activation Simulation — IIS Spawning Command Shell

    Expected signal: Sysmon Event ID 1 (Process Create) with ParentImage=w3wp.exe and Image=cmd.exe. DeviceProcessEvents entry showing InitiatingProcessFileName=w3wp.exe and FileName=cmd.exe. Sysmon Event ID 3 (Network Connection) from w3wp.exe to localhost.

  3. Test 3Dormant Account Reactivation Simulation — RDP from New External IP

    Expected signal: Windows Security Event 4624 on target server with Logon Type 10 (RemoteInteractive) or Type 3 (Network), showing the external test IP as the source. Also generates 4776 (credential validation) and 4672 (special privileges) if test account has elevated rights.

Unlock Pro Content

Get the full detection package for T1650 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0042Resource Development

Related Techniques

T1133External Remote ServicesT1505.003Web ShellT1078Valid AccountsT1199Trusted RelationshipT1195Supply Chain CompromiseT1589.001CredentialsT1597.002Purchase Technical DataT1583Acquire Infrastructure

Same Tactic: Resource Development

Popular Detections