Sentinel Queries

該項目提供了一系列KQL查詢，用於檢測Azure AD租戶中與BloodHound BARK工具包相關的濫用行為。這些查詢旨在識別BARK模擬的行為，而非工具本身的使用。內容包括針對不同BARK功能的檢測查詢、控制建議以及相關資源鏈接。

評分 : 2分

下載量 : 14

更新時間 : 2025-04-23

What is BARK Detection?

These detection queries help identify suspicious activities in Azure AD that could indicate privilege escalation attempts, similar to what the BARK toolkit can perform. They monitor for actions like password resets, credential additions, role assignments and other sensitive operations.

How to Use These Detections?

The queries should be run in Microsoft Sentinel or Log Analytics against your Azure AD logs. It's recommended to first test them in your environment to tune for accuracy.

When to Use These Detections?

Use these queries for continuous monitoring of your Azure AD environment, especially if you have privileged users/service principals or want to detect potential compromise.

Key Detection Capabilities

Password Reset DetectionIdentifies password reset operations performed via PowerShell which could indicate compromise.

Application Secret CreationDetects when new credentials are added to application objects.

Role Assignment MonitoringTracks when users or service principals are added to privileged roles.

Ownership ChangesMonitors for changes to owners of applications and service principals.

Strengths and Limitations

Strengths

Provides visibility into potential privilege escalation paths

Covers both user and service principal activities

Uses native Azure AD logs requiring no additional instrumentation

Helps detect abuse of legitimate tools and permissions

Limitations

May generate false positives in environments with legitimate automation

Requires tuning to match your specific environment

Only detects actions after they occur (not preventive)

Some legitimate admin activities may appear similar to malicious ones

Implementation Guide

Set up logging

Ensure Azure AD logs are being collected in your Log Analytics workspace.

Test queries

Run the detection queries against your environment to establish baselines.

Create alerts

Configure alerts for suspicious activities in Microsoft Sentinel.

Implement controls

Apply the recommended prevention controls from the documentation.

Detection Scenarios

Detecting Application Secret CreationMonitoring when new credentials are added to applications, which could allow attackers to persist in the environment.

Identifying Suspicious Role AssignmentsDetecting when service principals are added to privileged roles, which could indicate privilege escalation.

Frequently Asked Questions

Are these queries specific to the BARK toolkit?

How often should I run these detection queries?

What permissions do I need to use these detections?

How can I reduce false positives?

Additional Resources

BloodHound BARK GitHub

The official BARK toolkit repository

Azure AD Privilege Escalation Detection

Blog post on detecting Azure AD privilege escalation

Microsoft Azure AD Documentation

Official Microsoft documentation for Azure Active Directory

🚀 BARK

BARK 是一款用於檢測 Azure Active Directory (Azure AD) 中潛在特權提升攻擊的工具。它通過分析 Microsoft Sentinel 中的審核日誌，來識別異常或高風險活動，為 Azure AD 的安全保駕護航。

🚀 快速開始

不同場景下的檢測查詢

用戶作為行為者，用戶作為目標

AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "User"
| extend Target = tostring(TargetResources[0].userPrincipalName)
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], Target, GroupName

用戶作為行為者，服務主體作為目標

AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "ServicePrincipal"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], ['Target Service Principal Name'], ['Target Service Principal ObjectId'], GroupName

服務主體作為行為者，用戶作為目標

AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend ['Actor Service Principal ObjectId'] = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
| where isnotempty(['Actor Service Principal ObjectId'])
| where ['Actor Service Principal Name'] != "MS-PIM"
| where TargetResources[0].type == "User"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| extend Target = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, OperationName, ['Actor Service Principal Name'], ['Actor Service Principal ObjectId'], Target, GroupName

服務主體作為行為者，服務主體作為目標

AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)