Detect Acquire Access in Microsoft Sentinel
This detection identifies indicators that adversaries have leveraged purchased or brokered access to compromise an environment — the operational signature left when Initial Access Broker (IAB)-sold footholds are activated. Because T1650 itself is a pre-compromise preparation activity, detection focuses on anomalous authentication patterns consistent with a new threat actor using previously established access: first-use logons from novel geolocations for established accounts, high-risk sign-ins immediately followed by reconnaissance activity, web shell process ancestry patterns indicative of broker-planted backdoors, and external remote service sessions from IPs with no prior organizational history. Correlating Azure AD risk signals with unusual lateral movement timing provides the strongest detection fidelity.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1650 Acquire Access
- Canonical reference
- https://attack.mitre.org/techniques/T1650/
KQL Detection Query
// T1650 — Acquire Access: Detect activated IAB-sold footholds via anomalous first-use authentication
let lookbackDays = 30d;
let alertWindowHours = 24h;
// Build baseline of known IPs and locations per user over past 30 days
let historicalBaseline = AADSignInLogs
| where TimeGenerated between (ago(lookbackDays) .. ago(alertWindowHours))
| where ResultType == 0
| summarize
HistoricalIPs = make_set(IPAddress, 500),
HistoricalCountries = make_set(Location, 100),
AccountAgeInDays = count()
by UserPrincipalName;
// Identify recent high-risk or anomalous successful sign-ins
let recentHighRiskSignins = AADSignInLogs
| where TimeGenerated > ago(alertWindowHours)
| where ResultType == 0
| where RiskLevelDuringSignIn in ("high", "medium")
or RiskState in ("atRisk", "confirmedCompromised")
or RiskDetail has_any ("unfamiliarFeatures", "anonymizedIPAddress", "maliciousIPAddress", "impossibleTravel", "newCountry")
| project
TimeGenerated,
UserPrincipalName,
IPAddress,
Location,
AppDisplayName,
DeviceDetail = tostring(DeviceDetail),
RiskLevelDuringSignIn,
RiskState,
RiskDetail = tostring(RiskDetail),
AuthenticationRequirement,
ConditionalAccessStatus,
CorrelationId;
// Join to baseline — flag new-country/new-IP access for established accounts
recentHighRiskSignins
| join kind=leftouter historicalBaseline on UserPrincipalName
| where AccountAgeInDays > 7 // Established account, not brand new
| where not(IPAddress in (HistoricalIPs))
| where not(Location in (HistoricalCountries))
| extend
RiskScore = case(
RiskLevelDuringSignIn == "high", 3,
RiskLevelDuringSignIn == "medium", 2,
1
),
NewGeolocation = strcat("New country/IP for this account: ", Location, " / ", IPAddress),
BrokerIndicators = case(
RiskDetail has "anonymizedIPAddress", "TOR/VPN exit node — common IAB delivery mechanism",
RiskDetail has "maliciousIPAddress", "Known malicious IP — potential broker infrastructure",
RiskDetail has "impossibleTravel", "Impossible travel — credential handoff to remote threat actor",
RiskDetail has "newCountry", "New country logon — new actor using acquired creds",
"High-risk sign-in from unknown location"
)
| where RiskScore >= 2
| project
TimeGenerated,
UserPrincipalName,
IPAddress,
Location,
AppDisplayName,
RiskLevelDuringSignIn,
RiskState,
BrokerIndicators,
NewGeolocation,
ConditionalAccessStatus,
CorrelationId
| order by TimeGenerated descDetects activation of IAB-sold access by correlating Azure AD Identity Protection risk signals (impossible travel, anonymous IP, new country) with first-appearance logons from IPs and geolocations never previously seen for established accounts. This pattern is the operational signature of a purchased credential or backdoor being activated by a new threat actor.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
- Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
- IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions
- New employee first logon from home network or coworking space not in organizational baseline
- Mergers/acquisitions onboarding new users from previously unseen IP ranges
Other platforms for T1650
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate IAB Credential Use — New Geolocation Authentication via VPN Exit Node
Expected signal: AADSignInLogs entry with ResultType=0, RiskLevelDuringSignIn='medium' or 'high', RiskDetail containing 'unfamiliarFeatures' or 'anonymizedIPAddress' if using VPN. Sign-in should appear in Identity Protection risk detections.
- Test 2Web Shell Activation Simulation — IIS Spawning Command Shell
Expected signal: Sysmon Event ID 1 (Process Create) with ParentImage=w3wp.exe and Image=cmd.exe. DeviceProcessEvents entry showing InitiatingProcessFileName=w3wp.exe and FileName=cmd.exe. Sysmon Event ID 3 (Network Connection) from w3wp.exe to localhost.
- Test 3Dormant Account Reactivation Simulation — RDP from New External IP
Expected signal: Windows Security Event 4624 on target server with Logon Type 10 (RemoteInteractive) or Type 3 (Network), showing the external test IP as the source. Also generates 4776 (credential validation) and 4672 (special privileges) if test account has elevated rights.
References (6)
- https://attack.mitre.org/techniques/T1650/
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
- https://www.crowdstrike.com/blog/access-brokers-who-are-they-and-how-do-they-operate/
- https://krebsonsecurity.com/2021/06/arrests-tied-to-cybercrime-forums-romanticized-on-underground-boards/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a
- https://unit42.paloaltonetworks.com/medusa-ransomware-threat-group/
Unlock Pro Content
Get the full detection package for T1650 including response playbook, investigation guide, and atomic red team tests.