Azure AD Alert Details
Alert ID: AAD-ACCOUNT-REMOVAL-1531-7842 Alert Time: 2024-03-05 09:30:15 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Mass Account Disable/Deletion Detected” MITRE ATT&CK: T1531 – Account Access Removal
Alert Details:
Detection: Bulk disabling/deletion of user accounts in Azure AD
Time: 09:15-09:30 EST Action Performed By: jwilson@company.com (Global Administrator) Source IP: 185.143.221[.]89 (Bulgaria)
Audit Events:
09:15:22 – Disable user: bturner@company.com (Finance)
09:15:45 – Disable user: kwilson@company.com (Finance Manager)
09:16:12 – Disable user: alexchen@company.com (Engineering)
09:16:38 – Disable user: rpatel@company.com (Engineering)
09:17:05 – Disable user: sjones@company.com (Marketing)
09:17:33 – Disable user: mwilson@company.com (Sales)
09:18:01 – Disable user: cjohnson@company.com (CEO)
09:18:28 – Disable user: jsmith@company.com (IT Admin)
… (continuing)
Total Accounts Affected: 47 users disabled
12 from Finance
8 from Engineering
6 from Marketing
5 from Sales
4 from HR
12 others (including executives and admins)
Additional Actions:
09:20:15 – Conditional Access policies modified to block all users
09:22:30 – MFA settings reset for 10 users
09:25:45 – Guest users removed (12 accounts)
Detection Logic:
47 accounts disabled in 15 minutes (highly anomalous)
Actions from unusual location (Bulgaria)
Performed by Global Admin jwilson (who was on leave)
Pattern matches account access removal (sabotage/ransomware prep)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD audit logs
Azure AD Portal
Confirmed mass account disable events
2. User Verification
Contact jwilson
Phone, Teams
jwilson on leave; did NOT perform actions
3. Immediate Action
Disable compromised jwilson account
Azure AD, AD
jwilson account disabled
4. Account Restoration
Re-enable all 47 disabled accounts
Azure AD PowerShell
All accounts re-enabled
5. Conditional Access Fix
Revert policy changes
Azure AD
Conditional Access policies restored
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-171 Summary: T1531 – Mass Account Disable (47 Users) by Compromised Global Admin Status: RESOLVED Resolution: MALICIOUS – Accounts Restored Priority: P1 – CRITICAL Labels: T1531, account-access-removal, azure-ad, compromised-admin Components: Identity-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Audit Logs.
Alert: “Mass Account Disable/Deletion Detected”.
Action: 47 user accounts disabled, Conditional Access policies modified.
Performed By: jwilson@company.com (Global Administrator) – compromised.
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-03-05 09:30 EST.
Technique: MITRE ATT&CK T1531 – Account Access Removal.
2. Technical Analysis:
Attack Chain:
08:30 – jwilson credentials compromised via phishing
08:45 – Attacker logs into Azure AD portal from Bulgaria IP
09:00 – Attacker enumerates users, identifies targets
09:15-09:30 – Mass account disable
09:20 – Conditional Access policies modified
09:30 – Azure AD alerts
Accounts Disabled (47):
Finance (12) – including managers
Engineering (8) – key developers
Marketing (6)
Sales (5)
HR (4)
Executives (3) – CEO, CFO, CTO
IT Admins (5)
Others (4)
Conditional Access Changes:
Original policy: MFA required for all external access
New policy: Block all access for all users (effectively locking everyone out)
Attacker Intent:
Maximum business disruption
Prevent legitimate users from accessing resources
Potentially precursor to ransomware
Compromised Admin:
jwilson (Global Admin) on leave, unaware
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
09:15-09:30 – Account disable
09:30 – Alert triggers
09:32 – SOC investigates
09:33 – jwilson account disabled
09:35 – All 47 accounts re-enabled
09:37 – Conditional Access restored
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– jwilson (compromised global admin)
Actions:
– 47 user accounts disabled (list attached)
– Conditional Access policy changed
4. Containment Actions:
Immediate Actions:
Disabled compromised jwilson account.
Re-enabled all 47 disabled accounts.
Reverted Conditional Access policies to original.
Reset jwilson password.
Enforced MFA for all admins.
Blocked attacker IP at firewall and Conditional Access.
User Communication:
Notified all affected users (accounts were disabled for 5-15 minutes).
Verified no data loss.
Account Remediation:
Reset passwords for all 47 affected users (precaution).
5. Root Cause Analysis:
Primary Cause: Global admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin account had excessive privileges.
No alerts for mass account changes.
6. Business Impact:
Operational Impact: 47 users locked out for 5-15 minutes.
Data Exposure: None (accounts disabled, no data access).
Reputational Impact: Internal disruption.
7. Remediation & Prevention:
Completed Actions:
Accounts restored.
Admin account secured.
MFA enforced.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Implemented Privileged Identity Management (JIT access).
Created alert for mass account disable/delete.
Added IP restrictions for admin portal access.
8. Conclusion:
An attacker compromised a global admin account and disabled 47 user accounts, modifying Conditional Access policies to block all access. Azure AD detected the mass changes, enabling rapid restoration. All accounts were re-enabled within minutes.
Closure Rationale: Accounts restored; admin account secured; controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 10:30 EST