Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-EntraID-ExtortionLockout.
Upgrade to ProDetect Entra ID Mass Password Reset and Account Disablement for Extortion Lockout in Google Chronicle
Ransomware and extortion crews that have escalated to Global Administrator or Privileged Authentication Administrator in Entra ID (Azure AD) frequently take a final step before or during encryption: locking legitimate defenders and end users out of the tenant so incident response is slowed and the negotiation position is strengthened. Observed patterns (Scattered Spider, Lapsus$, and multiple ransomware affiliates operating from compromised cloud-admin sessions) include scripted, back-to-back calls against a large number of distinct user objects in a short window — admin-initiated password resets (`Reset password (by admin)` / `Change user password`), account disablement (`Disable account`), and outright user deletion (`Delete user`) — usually from a single initiating identity or a small number of newly-elevated identities, often followed by revocation of the legitimate admins' own refresh tokens. This differs sharply from normal offboarding/HR-driven account changes, which are typically initiated by an HR-integration service principal or IT helpdesk staff against one or a handful of accounts per day, not dozens of distinct users within minutes from a single caller. Detection relies on Entra ID audit logs (the `AuditLogs` table in Microsoft Sentinel / Log Analytics, or the equivalent audit event stream ingested into other SIEMs), correlating a burst of these operations against a high count of distinct target users from the same initiating identity.
MITRE ATT&CK
- Tactic
- Impact
YARA-L Detection Query
rule entra_id_extortion_lockout {
meta:
author = "df00tech Detection Engineering"
description = "Detects a single identity performing password resets and/or deletions against many distinct Entra ID user accounts within a short window, consistent with extortion-driven lockout"
reference = "https://attack.mitre.org/techniques/T1531/"
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1531"
false_positives = "Scheduled HR offboarding, break-glass reset campaigns, Lifecycle Workflows, tenant consolidation"
version = "1.0"
events:
$e.metadata.event_type = "USER_CHANGE_PASSWORD" or $e.metadata.event_type = "USER_DELETION"
$e.metadata.product_name = "Microsoft Entra ID"
$e.security_result.action = "ALLOW"
$initiator = $e.principal.user.userid
$target = $e.target.user.userid
match:
$initiator over 15m
outcome:
$distinct_targets = count_distinct($target)
condition:
$e and $distinct_targets >= 5
} Chronicle YARA-L 2.0 rule matching USER_CHANGE_PASSWORD and USER_DELETION UDM events from the Entra ID (Microsoft Entra ID) audit log parser, grouped by initiating principal over a 15-minute match window. Fires when the same initiator triggers password-change or deletion events against 5 or more distinct target users. Account-disablement operations are typically parsed under USER_CHANGE_PERMISSIONS or a product-specific event_type in Chronicle depending on the exact Entra ID parser version in use — extend the events block with that event_type once confirmed against your Chronicle instance's UDM mapping.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled bulk offboarding by an authorized HR/IT automation service principal
- Defensive break-glass password reset campaign after a confirmed credential-stuffing incident
- Entra ID Lifecycle Workflows disabling accounts in bulk
- Tenant consolidation/decommissioning projects with bulk account changes
Other platforms for THREAT-EntraID-ExtortionLockout
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Bulk Password Reset Against Test Accounts
Expected signal: AuditLogs entries with OperationName='Reset password (by admin)' or 'Change user password', Result='success', InitiatedBy matching the test admin identity, and TargetResources[0].userPrincipalName matching each test account, all within a few minutes of each other.
- Test 2Simulate Bulk Account Disablement Against Test Accounts
Expected signal: AuditLogs entries with OperationName='Disable account', Result='success', for each of the five test accounts within a short window.
- Test 3Simulate Privilege Activation Immediately Followed by Lockout Actions
Expected signal: AuditLogs entries for 'Add member to role' (or 'Add eligible member to role') for the test admin identity, followed within minutes by a 'Disable account' entry initiated by that same identity.
References (6)
- https://attack.mitre.org/techniques/T1531/
- https://attack.mitre.org/tactics/TA0040/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-EntraID-ExtortionLockout — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month