Skip to content
Threat Feed
high advisory

Azure AD Account Enabled and Password Reset for Backdoor

Detection of an Azure AD user enabling a disabled account and immediately resetting the password, indicating a potential backdoor being established by an adversary with administrative access.

This threat brief addresses the potential for adversaries to establish persistent backdoors within Azure Active Directory (Azure AD) environments. The described activity involves an actor with administrative privileges enabling a previously disabled user account and then immediately resetting the password. This sequence, occurring within a short timeframe (2 minutes), is highly suspicious. While legitimate administrators may occasionally perform these actions, the speed and combination of events raise concerns about unauthorized access and the creation of a backdoor account for later use. This activity allows an attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information. The detection focuses on Azure Active Directory events related to account enabling, password resets, and user updates.

Attack Chain

  1. Initial Compromise: An adversary gains initial administrative access to the Azure AD tenant through compromised credentials or a vulnerability.
  2. Account Discovery: The attacker identifies a disabled or inactive user account within Azure AD.
  3. Account Enabling: The attacker uses their administrative privileges to enable the disabled user account via the "Enable account" operation.
  4. Password Reset: Immediately following account enablement, the attacker resets the password for the enabled account using the "Reset password (by admin)" operation.
  5. Credential Hardening (Optional): The attacker may update the user's profile (e.g., adding MFA or alternate email) via the "Update user" operation to further secure the backdoor account.
  6. Privilege Escalation (Later): The attacker utilizes the newly enabled and controlled account to escalate privileges within the Azure AD environment.
  7. Lateral Movement (Later): The attacker leverages the compromised account to move laterally within the network and access sensitive resources.
  8. Persistence: The attacker maintains persistent access to the Azure AD environment through the compromised account, allowing them to return at will.

Impact

Successful exploitation can lead to persistent unauthorized access to the Azure AD environment. This allows attackers to steal sensitive data, escalate privileges to other accounts, and disrupt business operations. The number of victims depends on the scope of access granted to the compromised account. This attack primarily targets organizations leveraging Azure AD for identity and access management.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect suspicious account enabling and password reset sequences in Azure AD logs.
  • Investigate any alerts generated by the Sigma rule, focusing on the administrator (initiatedBy) and the target user account (user).
  • Implement multi-factor authentication (MFA) for all administrative accounts to mitigate credential compromise (Reference: T1098 technique).
  • Review Azure AD audit logs for unusual activity patterns, especially those involving account modifications.
  • Monitor for the "Enable account", "Reset password (by admin)", and "Update user" operations in Azure AD logs (data_source).

Detection coverage 2

Azure AD User Enabled and Password Reset within 2 Minutes

high

Detects an Azure AD user enabling a disabled account and resetting its password within 2 minutes.

sigma tactics: persistence techniques: T1098 sources: cloudtrail, azure, o365

Azure AD User Enabled and Password Reset and User Update within 2 Minutes

high

Detects an Azure AD user enabling a disabled account, resetting its password, and updating user details within 2 minutes.

sigma tactics: persistence techniques: T1098 sources: cloudtrail, azure, o365

Detection queries are available on the platform. Get full rules →