Active Directory Sensitive Group Modifications

Hunt Hypothesis

Adversaries may modify sensitive Active Directory groups to escalate privileges or maintain persistence within the network. Proactively hunting for these modifications in Azure Sentinel helps identify potential lateral movement or privilege escalation attempts early.

KQL Query

// Detects changes in Tier 0 group memberships
// Command leverages MDI schema
// Execute from https://security.microsoft.com or through the M365D advanced hunting API
let Events = materialize (
IdentityDirectoryEvents
| where ActionType == 'Group Membership changed'
| extend ActivityType = iff(isnotempty(tostring(AdditionalFields['TO.GROUP'])),"Added Account", "Removed Account")
| where isnotempty(AccountSid)
);
let Tier0Adds = (
Events
| where ActivityType == "Added Account"
| extend TargetGroup = tostring(AdditionalFields['TO.GROUP'])
| extend TargetObject = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), tostring(AdditionalFields['TARGET_OBJECT.GROUP']), tostring(AdditionalFields['TARGET_OBJECT.USER']))
| extend TargetType = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), "Security Group", "User Account")
//| extend TargetObject = AdditionalFields['TARGET_OBJECT.USER']
);
let Tier0Removes = (
Events
| where ActivityType == "Removed Account"
| extend TargetGroup = tostring(AdditionalFields['FROM.GROUP'])
| extend TargetObject = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])),tostring(AdditionalFields['TARGET_OBJECT.GROUP']), tostring(AdditionalFields['TARGET_OBJECT.USER']))
| extend TargetType = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), "Security Group", "User Account")
);
let Tier0Groups = datatable(TargetGroup:string)
[
'Enterprise Admins',
'Domain Admins',
'Domain Controllers'
'Administrators',
'Enterprise Key Admins',
'Account Operators',
'Organization Management',
'Backup Operators',
'RTCDomainServerAdmins',
'ENTERPRISE DOMAIN CONTROLLERS',
'Cert Publishers',
'Schema Admins',
'DnsAdmins',
'Exchange Recipient Administrators',
'Replicator',
'Read-Only Domain Controllers',
'Print Operators'
];
Tier0Groups
| join (union Tier0Adds, Tier0Removes) on TargetGroup
| project Timestamp, ActionType, ActivityType,TargetType, ActorUpn=AccountUpn, TargetObject, TargetAccountUpn, TargetGroup
// If you are setting up a detection rule in M365D, you'll need to add ReportId and AccountSid to the projected columns

Analytic Rule Definition

id: 20774145-ef68-42ab-9f3f-19fecbcdbac9
name: Active Directory Sensitive Group Modifications
description: |
  This query shows all modifications to highly sensitive active directory groups (also known as Tier 0). An example of these groups include Domain Admins, Schema Admins and Enterprise Admins.
  More info can be found here:
  https://docs.microsoft.com/security/compass/privileged-access-access-model#evolution-from-the-legacy-ad-tier-model
  https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
  This advanced hunting query requires Defender for Identity be deployed due to it's reliance on the IdentityDirectoryEvents table.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - IdentityDirectoryEvents
tactics:
- Privilege escalation
- Credential Access
query: |
  // Detects changes in Tier 0 group memberships
  // Command leverages MDI schema
  // Execute from https://security.microsoft.com or through the M365D advanced hunting API
  let Events = materialize (
  IdentityDirectoryEvents
  | where ActionType == 'Group Membership changed'
  | extend ActivityType = iff(isnotempty(tostring(AdditionalFields['TO.GROUP'])),"Added Account", "Removed Account")
  | where isnotempty(AccountSid)
  );
  let Tier0Adds = (
  Events
  | where ActivityType == "Added Account"
  | extend TargetGroup = tostring(AdditionalFields['TO.GROUP'])
  | extend TargetObject = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), tostring(AdditionalFields['TARGET_OBJECT.GROUP']), tostring(AdditionalFields['TARGET_OBJECT.USER']))
  | extend TargetType = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), "Security Group", "User Account")
  //| extend TargetObject = AdditionalFields['TARGET_OBJECT.USER']
  );
  let Tier0Removes = (
  Events
  | where ActivityType == "Removed Account"
  | extend TargetGroup = tostring(AdditionalFields['FROM.GROUP'])
  | extend TargetObject = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])),tostring(AdditionalFields['TARGET_OBJECT.GROUP']), tostring(AdditionalFields['TARGET_OBJECT.USER']))
  | extend TargetType = iff(isempty(tostring(AdditionalFields['TARGET_OBJECT.USER'])), "Security Group", "User Account")
  );
  let Tier0Groups = datatable(TargetGroup:string)
  [
  'Enterprise Admins',
  'Domain Admins',
  'Domain Controllers'
  'Administrators',
  'Enterprise Key Admins',
  'Account Operators',
  'Organization Management',
  'Backup Operators',
  'RTCDomainServerAdmins',
  'ENTERPRISE DOMAIN CONTROLLERS',
  'Cert Publishers',
  'Schema Admins',
  'DnsAdmins',
  'Exchange Recipient Administrators',
  'Replicator',
  'Read-Only Domain Controllers',
  'Print Operators'
  ];
  Tier0Groups
  | join (union Tier0Adds, Tier0Removes) on TargetGroup
  | project Timestamp, ActionType, ActivityType,TargetType, ActorUpn=AccountUpn, TargetObject, TargetAccountUpn, TargetGroup
  // If you are setting up

Required Data Sources

Sentinel Table	Notes
`IdentityDirectoryEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Privilege escalation
Tactic: Credential Access

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Credential Access/Active Directory Sensitive Group Modifications.yaml)

False Positive Guidance

Scenario: Scheduled Job Updates
Description: A scheduled task runs to update group membership for a Tier 0 group as part of a routine security or compliance process.
Filter/Exclusion: EventID != 4732 or EventID = 4732 AND SourceName = "Scheduled Tasks"
Scenario: Group Policy Object (GPO) Replication
Description: Group Policy Objects that manage Tier 0 groups are replicated across domain controllers, which can trigger group modification events.
Filter/Exclusion: EventID = 4732 AND SourceName = "Group Policy"
Scenario: Active Directory Replication
Description: Replication between domain controllers can cause changes to be logged as modifications to Tier 0 groups.
Filter/Exclusion: EventID = 4732 AND SourceName = "NTDS"
Scenario: Privileged Access Management (PAM) Tool Usage
Description: A PAM tool like CyberArk or BeyondTrust is used to rotate or manage credentials for Tier 0 groups, which may trigger modification events.
Filter/Exclusion: EventID = 4732 AND SourceName = "CyberArk" OR SourceName = "BeyondTrust"
Scenario: Manual Admin Task via PowerShell
Description: An administrator uses PowerShell to modify a Tier 0 group as part of a legitimate administrative task, such as adding a user to the Domain Admins group.
Filter/Exclusion: EventID = 4732 AND SourceName = "Windows PowerShell"