HOWTO: Hunt for abuse of Azure AD Connect’s AD Connector account

Azure AD Connect Sync’s uses three separate accounts. Its AD Connector account is an account that has several permissions that warrant a closer look at how the account can be abused. Of course, we’ll need command lines to hunt for any misuse.

About the AD Connector account

Since Azure AD Connect version 1.4.18.0, the use of an account that is a member of the Enterprise Admins and/or Domain Admins is no longer supported as AD Connector account.

As John McCash pointed out in the comments, any account with the 'Replicate Directory Changes All' delegated permission is effectively a Domain Admin account, and should be secured appropriately. While John points to the Active Directory administrative tier model, it’s not a true ‘Assume breach’ perspective. Let’s provide this perspective today.

The AD Connector account is only used to connect to Active Directory by Azure AD Connect. Typically, on Domain Controllers you would only see sign-ins from this account originating from the Azure AD Connect server and all sign-ins would be network sessions (logon type 3). On the Azure AD Connect server itself, you should not see any other type of sign-ins.

Now that we know what the audit trail should look like, we can hunt for anomalies in the event logs of Domain Controllers and Azure AD Connect servers.

Hunting in the Event Logs

For this purpose, we’ll use Windows PowerShell from the Azure AD Connect server to look at the event logs that might be of interest.

Hunt for sign-ins other than network logon sessions on all Domain Controllers

As the AD Connector account targets Active Directory Domain Controllers, you’re bound to see logon events on these servers. However, we want to hunt for all sign-ins that are not network sign-ins. We can use the following lines of Windows PowerShell on the Azure AD Connect server to interrogate each Domain Controller in the environment for all logon sessions that were not network sessions (logon type 3):

Note:
I’m assuming you have the Windows PowerShell module for Active Directory installed on the Windows Server running Azure AD Connect.

Note:
I’m assuming the Windows Firewall on the Domain Controllers allows remote event log management over RPC.

Import-Module ActiveDirectory

Import-Module
"C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

 

$Acc = (Get-ADSyncADConnectorAccount).ADConnectorAccountName

 

$domains = (Get-ADForest).domains

$DCs
= Foreach ($domain in $domains) {

Get-ADDomainController
-Filter * | Select Name -ExpandProperty Name | Sort-Object | Get-Unique
}

 

ForEach ($DC in $DCs) {

Get-WinEvent
-ComputerName $DC -LogName Security -FilterXPath 'Event[System[EventID=4624] and EventData[Data[@Name="TargetUserName"]=$Acc] and EventData[Data[@Name="LogonType"]!=3]]'

}

Hunt for sign-ins from devices other than the Azure AD Connect server

The same method can be applied to find sign-ins that originate from other devices than the Azure AD Connect server. In the following lines of Windows PowerShell, specify the IP address of the Azure AD Connect server. Then, run the lines on the Azure AD Connect server to interrogate each Domain Controller in the environment:

Note:
I’m assuming you have the Windows PowerShell module for Active Directory installed on the Windows Server running Azure AD Connect.

Note:
I’m assuming the Windows Firewall on the Domain Controllers allows remote event log management over RPC.

Import-Module ActiveDirectory
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

$IP = (Test-Connection -ComputerName (hostname) –count 1).IPv4Address.IPAddressToString

$Acc = (Get-ADSyncADConnectorAccount).ADConnectorAccountName

$domains = (Get-ADForest).domains
$DCs = Foreach ($domain in $domains) {
Get-ADDomainController -Filter * | Select Name -ExpandProperty Name | Sort-Object | Get-Unique
}

ForEach ($DC in $DCs) {
Get-WinEvent -ComputerName $DC -LogName Security -FilterXPath 'Event[System[EventID=4624] and EventData[Data[@Name="TargetUserName"]=$Acc] and EventData[Data[@Name="IpAddress"]!=$IP]]'
}

Hunt for interactive logons on the Azure AD Connect server

To find logon events for the AD Connector account, we can use the following three lines of Windows PowerShell on the Azure AD Connect Server:

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

$Acc = (Get-ADSyncADConnectorAccount).ADConnectorAccountName

Get-EventLog -LogName Security -InstanceId 4624,4625 -message *'$Acc'*

As normal operations on Windows Servers running Azure AD Connect would only generate events with EventID 4648, you won’t expect events that would indicate successful logons with EventID 4624 or failed logons with EventID 4625. We can filter on this characteristics. We do so in the above lines of Windows PowerShell, after we get the AD Connector account from Azure AD Connect’s configuration.

Concluding

The above lines of Windows PowerShell can be used to test your breach hypothesis. These lines of Windows PowerShell should not provide any feedback or provide the following output:

No events were found that match the specified selection criteria.

If so, good job!

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.