Azure AD Account Created and Deleted Within a Close Time Frame

The creation and immediate deletion of user accounts within Azure Active Directory can be indicative of various malicious activities. Attackers may create accounts to escalate privileges, establish persistence, or gain initial access to a system. The short lifespan of these accounts suggests an attempt to evade detection. This behavior is particularly concerning as it can be used to perform actions and then quickly remove the evidence of the account’s existence from standard audit logs. Monitoring for this activity helps defenders identify and respond to potential security breaches within their Azure environment. This technique is relevant for any organization utilizing Azure Active Directory for user management.

Attack Chain

1. An attacker gains initial access to an Azure AD environment, potentially through compromised credentials or a phishing attack.
2. The attacker creates a new user account within the Azure AD. This can be achieved through the Azure portal, PowerShell, or the Azure CLI.
3. The attacker assigns elevated privileges to the newly created account. This might involve adding the account to privileged roles such as Global Administrator or assigning specific permissions to access sensitive resources.
4. The attacker uses the newly created account to perform malicious activities, such as accessing confidential data, modifying system configurations, or deploying malicious applications.
5. After completing the malicious tasks, the attacker removes the elevated privileges from the account to reduce the chances of detection during privilege reviews.
6. The attacker deletes the created account from Azure AD. This step is performed to remove the traces of the account’s existence and hinder forensic investigations.
7. The actions performed by the short-lived account may leave other traces in logs, such as access logs or activity logs related to the resources the account interacted with.
8. The attacker aims to maintain stealth and evade detection while gaining unauthorized access to resources or establishing persistence within the Azure AD environment.

Impact

Successful exploitation can lead to unauthorized access to sensitive resources, data breaches, and system compromise. The creation and deletion of short-lived accounts can mask malicious activities, making it difficult to trace the attacker’s actions. Organizations using Azure AD could experience data exfiltration, financial loss, and reputational damage. Detecting such activity early is critical to preventing further damage and mitigating the impact of the attack.

Recommendation

• Deploy the Sigma rule “Account Created And Deleted Within A Close Time Frame” to your SIEM and tune for your environment to detect suspicious account creation/deletion events in Azure AD audit logs.
• Investigate any alerts generated by the Sigma rule “Account Created And Deleted Within A Close Time Frame” to determine the scope and impact of the potential compromise.
• Implement multi-factor authentication (MFA) for all user accounts, especially those with elevated privileges, to reduce the risk of credential compromise (reference: attack.initial-access).
• Regularly review Azure AD audit logs for unusual account activity, focusing on accounts created and deleted within a short timeframe (logsource: azure, service: auditlogs).