Detection rules › Kusto Query Language

User account enabled and disabled within 10 mins

Author: Microsoft Security Research
Source: upstream

'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts
Persistence	`T1078` Valid Accounts, `T1098` Account Manipulation
Privilege Escalation	`T1078` Valid Accounts, `T1098` Account Manipulation
Defense Evasion	`T1078` Valid Accounts

Event coverage

Provider	Event ID	Title
Security-Auditing	4722	A user account was enabled.
Security-Auditing	4725	A user account was disabled.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 2 branches

Stage 3: `join`

Stage 4: `where`

 macro "((DisableTime - EnableTime) < spanoftime)"

Stage 5: `extend`

Stage 6: `where`

 macro "(tolong(TimeDelta) >= threshold)"

User account enabled and disabled within 10 mins

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `union`

Stage 3: `join`

Stage 4: `where`

Stage 5: `extend`

Stage 6: `where`

Stage 7: `project`

Stage 8: `extend`

Stage 9: `extend`

Stage 10: `project-away`

Keyboard Shortcuts

User account enabled and disabled within 10 mins

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: join

Stage 4: where

Stage 5: extend

Stage 6: where

Stage 7: project

Stage 8: extend

Stage 9: extend

Stage 10: project-away

Stage 1: `source`

Stage 2: `union`

Stage 3: `join`

Stage 4: `where`

Stage 5: `extend`

Stage 6: `where`

Stage 7: `project`

Stage 8: `extend`

Stage 9: `extend`

Stage 10: `project-away`