Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-EntraID-ExtortionLockout.
Upgrade to ProAccount Access Removal — Entra ID Mass Password Reset and Account Disablement for Extortion Lockout
Ransomware and extortion crews that have escalated to Global Administrator or Privileged Authentication Administrator in Entra ID (Azure AD) frequently take a final step before or during encryption: locking legitimate defenders and end users out of the tenant so incident response is slowed and the negotiation position is strengthened. Observed patterns (Scattered Spider, Lapsus$, and multiple ransomware affiliates operating from compromised cloud-admin sessions) include scripted, back-to-back calls against a large number of distinct user objects in a short window — admin-initiated password resets (`Reset password (by admin)` / `Change user password`), account disablement (`Disable account`), and outright user deletion (`Delete user`) — usually from a single initiating identity or a small number of newly-elevated identities, often followed by revocation of the legitimate admins' own refresh tokens. This differs sharply from normal offboarding/HR-driven account changes, which are typically initiated by an HR-integration service principal or IT helpdesk staff against one or a handful of accounts per day, not dozens of distinct users within minutes from a single caller. Detection relies on Entra ID audit logs (the `AuditLogs` table in Microsoft Sentinel / Log Analytics, or the equivalent audit event stream ingested into other SIEMs), correlating a burst of these operations against a high count of distinct target users from the same initiating identity.
What is THREAT-EntraID-ExtortionLockout Entra ID Mass Password Reset and Account Disablement for Extortion Lockout?
Entra ID Mass Password Reset and Account Disablement for Extortion Lockout (THREAT-EntraID-ExtortionLockout) is a sub-technique of Account Access Removal (T1531) in the MITRE ATT&CK framework. It maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data.
This page provides production-ready detection logic for Entra ID Mass Password Reset and Account Disablement for Extortion Lockout, covering the data sources and telemetry it touches: Microsoft Entra ID (Azure AD) Audit Logs, Microsoft Sentinel AuditLogs table (Azure AD diagnostic setting: AuditLogs category). The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Impact
// THREAT-EntraID-ExtortionLockout (T1531 Account Access Removal - Entra ID control plane)
let Lookback = 2h;
let BurstWindow = 15m;
let MinDistinctTargets = 5;
AuditLogs
| where TimeGenerated > ago(Lookback)
| where OperationName in ("Reset password (by admin)", "Change user password", "Disable account", "Delete user")
| where Result == "success"
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend Initiator = iif(isnotempty(InitiatingUser), InitiatingUser, InitiatingApp)
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| where isnotempty(TargetUser)
| summarize ActionCount = count(), DistinctTargets = dcount(TargetUser), Actions = make_set(OperationName), TargetSample = make_set(TargetUser, 15) by Initiator, bin(TimeGenerated, BurstWindow)
| where DistinctTargets >= MinDistinctTargets
| sort by DistinctTargets desc, TimeGenerated desc Flags a single initiating identity (user or service principal) performing password resets, account disablement, and/or user deletion against 5 or more distinct target users within a 15-minute window, using Entra ID audit events forwarded to the AuditLogs table. Normal helpdesk password-reset volume is one user at a time in response to a ticket; extortion-driven lockout is scripted and hits many accounts almost simultaneously from the same caller. Combining the three operation types in one summarize also catches a mixed sequence (reset some accounts, disable others, delete a few) which a single-operation-type rule would miss.
Data Sources
Required Tables
False Positives
- HR-driven bulk offboarding events (e.g. a layoff or contractor batch expiration) run by an authorized IT automation/service principal against a known list of accounts on a scheduled date
- Break-glass password reset campaigns following a confirmed credential-stuffing incident, where IT intentionally resets many accounts in a short window as a defensive measure
- Identity governance / access-review workflows (e.g. Entra ID Lifecycle Workflows) that disable accounts in bulk based on an HR feed
- Merger/acquisition tenant consolidation projects that deliberately disable or delete a batch of accounts from a decommissioned tenant
Sigma rule & cross-platform mapping
The detection logic for Entra ID Mass Password Reset and Account Disablement for Extortion Lockout (THREAT-EntraID-ExtortionLockout) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azure Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-EntraID-ExtortionLockout
References (6)
- https://attack.mitre.org/techniques/T1531/
- https://attack.mitre.org/tactics/TA0040/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Bulk Password Reset Against Test Accounts
Expected signal: AuditLogs entries with OperationName='Reset password (by admin)' or 'Change user password', Result='success', InitiatedBy matching the test admin identity, and TargetResources[0].userPrincipalName matching each test account, all within a few minutes of each other.
- Test 2Simulate Bulk Account Disablement Against Test Accounts
Expected signal: AuditLogs entries with OperationName='Disable account', Result='success', for each of the five test accounts within a short window.
- Test 3Simulate Privilege Activation Immediately Followed by Lockout Actions
Expected signal: AuditLogs entries for 'Add member to role' (or 'Add eligible member to role') for the test admin identity, followed within minutes by a 'Disable account' entry initiated by that same identity.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-EntraID-ExtortionLockout — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month