Microsoft Defender for Identity Alert Details
Alert ID: MDI-ACCT-MANIP-1098-7842
Alert Time: 2024-02-15 11:45:33 EST
Severity: CRITICAL (95/100)
Source: Microsoft Defender for Identity
Rule: “Suspicious Service Account Modification”
MITRE ATT&CK: T1098 – Account Manipulation
Alert Details:
Detection: Service account added to Domain Admins group
Account: svc_sql_backup (SQL Backup Service Account)
Action: Added to “Domain Admins” group
Time: 11:40 EST
Performed By: jsmith (John Smith – Domain Admin)
Source Host: IT-WS-045
Source IP: 192.168.45.78
Activity Details:
– 11:38: User jsmith authenticated from IT-WS-045
– 11:39: PowerShell session initiated
– 11:40: Add-ADGroupMember -Identity “Domain Admins” -Members “svc_sql_backup”
– 11:41: Group membership change successful
Anomaly Detection:
– svc_sql_backup is a service account (never needs Domain Admin)
– jsmith normally does NOT modify service account memberships
– jsmith’s account had 3 failed logins 10 minutes prior from unusual IP
– Activity occurred 5 minutes after jsmith received suspicious email
Additional Context:
– Domain Admins group now has 18 members (normally 12)
– svc_sql_backup can now perform any domain action
– Lateral movement risk: service account used on 50+ SQL servers
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed unauthorized group modification
2. Immediate Action
Remove account from Domain Admins
AD PowerShell
svc_sql_backup removed from Domain Admins
3. User Investigation
Check jsmith account activity
Azure AD, CrowdStrike
jsmith’s credentials compromised via phishing
4. Account Remediation
Reset jsmith password
Azure AD, AD
Password reset; MFA enforced
5. Threat Hunting
Check for other group modifications
MDI, Splunk
No other unauthorized changes found
6. Service Account Review
Audit all service account memberships
AD, ServiceNow
All service accounts reviewed; principle of least privilege enforced
Jira Incident Report
Ticket: SOC-2024-077
Summary: T1098 – Service Account Added to Domain Admins via Compromised Admin Account
Status: RESOLVED
Resolution: MALICIOUS – Unauthorized Group Membership Removed
Priority: P1 – CRITICAL
Labels: T1098, account-manipulation, domain-admins, mdi, compromised-admin
Components: Identity-Management, Privileged-Access
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious Service Account Modification”.
Account Modified: svc_sql_backup (service account).
Action: Added to Domain Admins group.
Performed By: jsmith (Domain Admin).
Time: 2024-02-15 11:45 EST.
Technique: MITRE ATT&CK T1098 – Account Manipulation.
2. Technical Analysis:
Attack Chain:
11:30 – jsmith receives phishing email with link
11:31 – jsmith clicks link, enters credentials on fake login page
11:35 – Attacker uses jsmith’s credentials to log in from 45.134.225[.]78
11:36 – Attacker connects to IT-WS-045 via RDP
11:38 – PowerShell session initiated
11:40 – svc_sql_backup added to Domain Admins
11:45 – MDI alerts
Account Modification Details:
Command: Add-ADGroupMember -Identity “Domain Admins” -Members “svc_sql_backup”
Result: Service account gained full domain admin privileges
Purpose: Attacker planning to use service account for lateral movement (50+ SQL servers)
Compromised Admin Account:
User: jsmith (Domain Admin)
Compromise method: Phishing (fake Microsoft login page)
No MFA (policy exception for “legacy admin” – now removed)
Service Account Risk:
svc_sql_backup used on 52 SQL servers
With Domain Admin rights, attacker could compromise all SQL servers
Used for backups (highly privileged by nature)
3. Investigation Findings:
Timeline:
11:30 – Phishing email opened
11:31 – Credentials entered
11:35 – Attacker logs in
11:36 – RDP to IT-WS-045
11:40 – Group modification
11:45 – Alert triggers
11:46 – SOC investigates
11:48 – svc_sql_backup removed from Domain Admins
11:50 – jsmith account disabled
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 45.134.225[.]78
Account:
– jsmith (compromised)
– svc_sql_backup (temporarily in Domain Admins)
Group:
– Domain Admins (membership reverted)
4. Containment Actions:
Immediate Actions:
Removed svc_sql_backup from Domain Admins group.
Disabled jsmith account.
Reset jsmith’s password.
Terminated all active sessions.
Blocked attacker IP at firewall.
Account Remediation:
Enforced MFA for jsmith (and all admins).
Audited all Domain Admins memberships.
Reviewed all recent group changes.
Service Account Review:
Audited all service account privileges.
Removed unnecessary admin rights.
Implemented managed service accounts where possible.
5. Root Cause Analysis:
Primary Cause: Domain Admin fell for phishing attack.
Contributing Factors:
No MFA on admin account.
Service account with excessive potential privileges.
No alerting on group changes (until MDI).
6. Business Impact:
Operational Impact: None (contained before lateral movement).
Security Impact: HIGH – Domain Admin credentials compromised.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Group membership reverted.
Compromised account secured.
Attacker IP blocked.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Implemented Privileged Access Workstations (PAWs).
Created alert for any service account group changes.
Reduced Domain Admins membership to minimum.
Implemented JIT (Just-In-Time) access for admins.
8. Conclusion:
An attacker compromised a Domain Admin via phishing and added a service account to the Domain Admins group. MDI detected the anomalous group change within 5 minutes, enabling rapid containment. The service account was removed before the attacker could use it for lateral movement.
Closure Rationale: Group membership reverted; admin account secured; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-15 13:00 EST