Sentinel Queries

该项目提供了一系列KQL查询，用于检测Azure AD租户中与BloodHound BARK工具包相关的滥用行为。这些查询旨在识别BARK模拟的行为，而非工具本身的使用。内容包括针对不同BARK功能的检测查询、控制建议以及相关资源链接。

评分 : 2分

下载量 : 14

更新时间 : 2025-04-23

What is BARK Detection?

These detection queries help identify suspicious activities in Azure AD that could indicate privilege escalation attempts, similar to what the BARK toolkit can perform. They monitor for actions like password resets, credential additions, role assignments and other sensitive operations.

How to Use These Detections?

The queries should be run in Microsoft Sentinel or Log Analytics against your Azure AD logs. It's recommended to first test them in your environment to tune for accuracy.

When to Use These Detections?

Use these queries for continuous monitoring of your Azure AD environment, especially if you have privileged users/service principals or want to detect potential compromise.

Key Detection Capabilities

Password Reset DetectionIdentifies password reset operations performed via PowerShell which could indicate compromise.

Application Secret CreationDetects when new credentials are added to application objects.

Role Assignment MonitoringTracks when users or service principals are added to privileged roles.

Ownership ChangesMonitors for changes to owners of applications and service principals.

Strengths and Limitations

Strengths

Provides visibility into potential privilege escalation paths

Covers both user and service principal activities

Uses native Azure AD logs requiring no additional instrumentation

Helps detect abuse of legitimate tools and permissions

Limitations

May generate false positives in environments with legitimate automation

Requires tuning to match your specific environment

Only detects actions after they occur (not preventive)

Some legitimate admin activities may appear similar to malicious ones

Implementation Guide

Set up logging

Ensure Azure AD logs are being collected in your Log Analytics workspace.

Test queries

Run the detection queries against your environment to establish baselines.

Create alerts

Configure alerts for suspicious activities in Microsoft Sentinel.

Implement controls

Apply the recommended prevention controls from the documentation.

Detection Scenarios

Detecting Application Secret CreationMonitoring when new credentials are added to applications, which could allow attackers to persist in the environment.

Identifying Suspicious Role AssignmentsDetecting when service principals are added to privileged roles, which could indicate privilege escalation.

Frequently Asked Questions

Are these queries specific to the BARK toolkit?

How often should I run these detection queries?

What permissions do I need to use these detections?

How can I reduce false positives?

Additional Resources

BloodHound BARK GitHub

The official BARK toolkit repository

Azure AD Privilege Escalation Detection

Blog post on detecting Azure AD privilege escalation

Microsoft Azure AD Documentation

Official Microsoft documentation for Azure Active Directory

🚀 BARK

BARK 是一款用于检测 Azure Active Directory (Azure AD) 中潜在特权提升攻击的工具。它通过分析 Microsoft Sentinel 中的审核日志，来识别异常或高风险活动，为 Azure AD 的安全保驾护航。

🚀 快速开始

不同场景下的检测查询

用户作为行为者，用户作为目标

AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "User"
| extend Target = tostring(TargetResources[0].userPrincipalName)
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], Target, GroupName

用户作为行为者，服务主体作为目标

AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "ServicePrincipal"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], ['Target Service Principal Name'], ['Target Service Principal ObjectId'], GroupName

服务主体作为行为者，用户作为目标

AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend ['Actor Service Principal ObjectId'] = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
| where isnotempty(['Actor Service Principal ObjectId'])
| where ['Actor Service Principal Name'] != "MS-PIM"
| where TargetResources[0].type == "User"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| extend Target = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, OperationName, ['Actor Service Principal Name'], ['Actor Service Principal ObjectId'], Target, GroupName

服务主体作为行为者，服务主体作为目标

AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)