List Cloud Persistence Activities By User At Risk
Description
This guide explains how to detect cloud persistence activities performed by users identified as at risk using KQL queries. Persistence events include actions like adding members, devices, service principals, or external users, which adversaries exploit to maintain long-term access to cloud environments. Identifying these events when performed by risky users helps prevent unauthorized footholds and mitigates potential compromises.
Risk
Users flagged as at risk who execute persistence actions present a heightened security threat. Such behavior often indicates account compromise or insider threats. Immediate investigation of these user accounts is critical. Confirm malicious activity by reviewing detailed logs, and if verified, promptly disable the compromised accounts to protect the environment.
Query
Microsoft Sentinel
// Define PersistenceEvents, list can be appended with other events or your choosing
let PersistenceEvents = dynamic(["add member", "add device", "register device", "add service principal", "update service principal", "add user", "enable account", "add group", "Invite external user", "Add application", "add app"]);
let RiskyUsers = AADRiskyUsers
| where TimeGenerated > ago(90d)
| summarize arg_max(TimeGenerated, *) by Id
// Only user active risky users. If you want to look for all users that have been risky, remove the line below.
| where RiskState in~ ('atRisk', 'confirmedCompromised')
| distinct UserDisplayName;
AuditLogs
// Filter only on the RiskyUsers defined
| where Identity in~ (RiskyUsers)
// Filter on DiscoveryEvents
| where OperationName has_any (PersistenceEvents)
| project TimeGenerated, Identity, OperationName, Category, ResultDescription, ResultThis query works by first defining a dynamic list of persistence events relevant to cloud identity security. It then pulls a list of users flagged as risky or confirmed compromised within the past 90 days. Finally, it filters audit logs to detect if any of these risky users performed persistence-related actions, helping security analysts quickly pinpoint potential breaches.
References
- Remediate risks and unblock users – Microsoft Entra ID Protection | Microsoft Learn
- Risk-based user sign-in protection in Microsoft Entra ID – Microsoft Entra ID | Microsoft Learn
- NOBELIUM targeting delegated administrative privileges to facilitate broader attacks | Microsoft Security Blog
- DEV-0537 criminal actor targeting organizations for data exfiltration and destruction | Microsoft Security Blog
- StellarParticle Campaign: Novel Tactics and Techniques | CrowdStrike