Azure AD Alert Details
Alert ID: AAD-ACCT-REMOVAL-1531-7842 Alert Time: 2024-03-13 16:30:45 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Mass Account Deletion Detected” MITRE ATT&CK: T1531 – Account Access Removal
Alert Details:
Detection: Bulk deletion of user accounts in Azure AD
Time: 16:15-16:30 EST Action Performed By: bjones@company.com (Global Administrator) – compromised Source IP: 185.143.221[.]89 (Bulgaria)
Audit Events:
16:15:22 – Delete user: jsmith@company.com (IT Admin)
16:15:45 – Delete user: kwilson@company.com (Finance Manager)
16:16:12 – Delete user: alexchen@company.com (Engineer)
16:16:38 – Delete user: rpatel@company.com (Engineer)
16:17:05 – Delete user: mwilson@company.com (Sales Rep)
16:17:33 – Delete user: cjohnson@company.com (CEO)
16:18:01 – Delete user: bturner@company.com (Accountant)
… (continuing)
Total Accounts Deleted: 87 users (from all departments)
23 from Finance
18 from Engineering
15 from Marketing
12 from Sales
10 from HR
9 from Executive (including CEO, CFO, CTO)
Additional Actions:
16:20:15 – Deleted 5 guest users
16:22:30 – Removed all users from “Domain Admins” group (emptied)
16:25:45 – Changed password policies to lock all remaining users
Detection Logic:
87 accounts deleted in 15 minutes (highly anomalous)
Actions from unusual location (Bulgaria)
Performed by Global Admin bjones (who was on vacation)
Pattern matches account access removal (sabotage)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD audit logs
Azure AD Portal
Confirmed mass account deletion
2. User Verification
Contact bjones
Phone, Teams
bjones on vacation; did NOT perform actions
3. Immediate Action
Disable compromised bjones account
Azure AD, AD
bjones account disabled
4. Account Restoration
Recover deleted accounts
Azure AD PowerShell, Recycle Bin
87 accounts restored (from recycle bin)
5. Group Restoration
Restore Domain Admins group membership
AD
Domain Admins group restored
6. Password Policy
Revert password policy changes
Azure AD
Policies restored
7. Incident Response
Activate breach response
Management, Legal
Account sabotage incident declared
Jira Incident Report
Ticket: SOC-2024-214 Summary: T1531 – Mass Account Deletion (87 Users) by Compromised Global Admin Status: RESOLVED Resolution: MALICIOUS – Accounts Restored Priority: P1 – CRITICAL Labels: T1531, account-access-removal, azure-ad, compromised-admin Components: Identity-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Audit Logs.
Alert: “Mass Account Deletion Detected”.
Action: 87 user accounts deleted, Domain Admins group emptied, password policies changed.
Performed By: bjones@company.com (Global Administrator) – compromised.
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-03-13 16:30 EST.
Technique: MITRE ATT&CK T1531 – Account Access Removal.
2. Technical Analysis:
Attack Chain:
15:30 – bjones credentials compromised via phishing
15:45 – Attacker logs into Azure AD portal from Bulgaria IP
16:00 – Attacker enumerates users, identifies targets
16:15-16:30 – Mass account deletion
16:20 – Domain Admins group emptied
16:25 – Password policies changed (lockout)
16:30 – Azure AD alerts
Accounts Deleted (87):
Finance (23)
Engineering (18)
Marketing (15)
Sales (12)
HR (10)
Executive (9) – CEO, CFO, CTO, etc.
Group Changes:
Domain Admins group emptied (12 members removed)
Effect: No domain administrators
Password Policy Changes:
Account lockout threshold set to 1 (any failed login locks account)
Lockout duration set to 999 minutes
Attacker Intent:
Complete denial of access to organization
Chaos and disruption
Potential precursor to ransomware
Compromised Admin:
bjones (Global Admin) on leave, unaware
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:45 – Attacker logs in
16:15-16:30 – Account deletion
16:30 – Alert triggers
16:32 – SOC investigates
16:33 – bjones account disabled
16:35 – Account recovery begins
16:45 – All 87 accounts restored
16:50 – Domain Admins group restored
16:55 – Password policies reverted
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– bjones (compromised global admin)
Actions:
– 87 user accounts deleted (list attached)
– Domain Admins group emptied
– Password policy changed
4. Containment Actions:
Immediate Actions:
Disabled compromised bjones account.
Restored all 87 deleted accounts from Azure AD Recycle Bin.
Restored Domain Admins group membership.
Reverted password policy changes.
Reset bjones password.
Enforced MFA for all admins.
Blocked attacker IP.
User Communication:
Notified all affected users (accounts were deleted for 15-30 minutes).
Verified no data loss.
Account Remediation:
Reset passwords for all 87 affected users (precaution).
5. Root Cause Analysis:
Primary Cause: Global admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin account had excessive privileges.
No alerts for mass account deletion.
6. Business Impact:
Operational Impact: 87 users locked out for 15-30 minutes.
Data Exposure: None (accounts deleted, no data access).
Reputational Impact: Internal disruption.
7. Remediation & Prevention:
Completed Actions:
Accounts restored.
Admin account secured.
MFA enforced.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Implemented Privileged Identity Management (JIT access).
Created alert for mass account deletion.
Added IP restrictions for admin portal access.
8. Conclusion:
An attacker compromised a global admin account and deleted 87 user accounts, emptied the Domain Admins group, and changed password policies to lock out remaining users. Azure AD detected the mass changes, enabling rapid restoration. All accounts were restored within 30 minutes.
Closure Rationale: Accounts restored; admin account secured; controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 17:30 EST