Detect Windows Entra User Management Via Azure CLI

This detection identifies the use of the Azure CLI on Windows systems to manage Entra ID user accounts. Threat actors may leverage the Azure CLI to create or manipulate user accounts for persistence, privilege escalation, or to maintain a covert presence within a compromised environment. This activity may be part of a larger attack chain targeting cloud resources and sensitive data. While legitimate administrative use of the Azure CLI is expected, anomalous execution patterns, unexpected users, or unusual parent processes should be carefully scrutinized. The detection focuses on the az.cmd and azure.cli processes, filtering for command-line arguments related to Active Directory (ad) and user management (user). Successful exploitation can lead to unauthorized access, data breaches, and long-term compromise of cloud resources.

Attack Chain

1. An attacker gains initial access to a compromised Windows system, potentially through phishing or exploitation of a software vulnerability.
2. The attacker installs or leverages an existing installation of the Azure CLI.
3. The attacker authenticates to Azure using compromised credentials or a service principal.
4. The attacker executes the az ad user create command to create a new user account in Entra ID.
5. The attacker assigns the newly created user account elevated privileges, such as Global Administrator, using az ad role assignment create.
6. The attacker uses the newly created account to access sensitive cloud resources, such as Azure VMs, storage accounts, or databases.
7. The attacker may modify existing user accounts using az ad user update to add backdoors or modify authentication methods.
8. The attacker uses these accounts for lateral movement and further exploitation within the Azure environment, bypassing MFA if possible.

Impact

Successful exploitation allows attackers to create rogue accounts within the Entra ID environment, granting them persistent access even if the original compromised account is disabled. This can lead to unauthorized access to sensitive data, disruption of services, and long-term compromise of the organization’s cloud infrastructure. The impact can range from data breaches and financial loss to reputational damage and legal liabilities. Depending on the permissions granted to the attacker-created users, the blast radius can encompass the entire Entra ID tenant and connected resources.

Recommendation

• Enable Sysmon process-creation logging with command-line auditing to capture the execution of Azure CLI commands (Sysmon EventID 1).
• Deploy the Sigma rule Detect Entra User Management via Azure CLI to your SIEM and tune for your environment.
• Monitor Windows Event Log Security events with ID 4688 for process creation events related to Azure CLI.
• Investigate any alerts generated by the Sigma rule, focusing on unusual parent processes, unexpected users, and anomalous execution patterns.
• Implement multi-factor authentication (MFA) for all user accounts, including administrative accounts, to mitigate the risk of credential compromise.
• Review and restrict Azure AD role assignments to follow the principle of least privilege.