Detecting service account provisioning

Brass Contributor

Hi all

 

I'm doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I'm trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve

 

1.) Raise an alert when a domain account is granted the "Logon as a Service" right on any machine. 

2.) When an account that has never logged on as service suddenly does so.

3.) Perhaps detect when a user account's ServicePrincipalName attribute is populayed or updated.

 

So the service account logon query looks like this:

DeviceLogonEvents
| where Timestamp >= ago(30d)
| where LogonType == "Service" or LogonType == "Batch"
| where AccountDomain =~ "saica"
| summarize count() by AccountName, DeviceName, LogonType
| sort by count_ desc

 

The other ones seem to be a bit trickier.

 

Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs. 

 

 

 

0 Replies