Identity Attack Investigation Runbook

SOC & DFIR Operations Guide

Overview & Scope

This runbook provides standardised procedures for investigating identity-based attacks across the hybrid enterprise environment. It covers detection, investigation, containment, and remediation workflows for both on-premises Active Directory and cloud identity platforms.

Identity Attack Categories

Detection Sources & Data Mapping

Log Sources Matrix

Platform

Log Table

Key Events

On-Prem AD

SecurityEvent

4624/4625, 4768/4769, 4672, 4720-4738

Entra ID

SigninLogs, AADNonInteractiveUserSignInLogs

Sign-ins, MFA, CA policies, risk events

Entra ID

AuditLogs

User/group changes, app registrations, PIM

Defender for Identity

IdentityDirectoryEvents, IdentityLogonEvents

LDAP queries, Kerberos activity, recon

Defender XDR

AlertEvidence, IdentityInfo

Correlated alerts, entity context

Cloud Apps

CloudAppEvents

SaaS activity, OAuth grants, file access

Prisma Access

PaloAltoPrismaAccess

VPN connections, GlobalProtect, ZTNA

Critical Windows Event IDs

Event ID

Description

Investigation Relevance

4624

Successful logon

Baseline normal access, identify anomalies

4625

Failed logon

Brute force, password spray detection

4648

Explicit credential logon

RunAs usage, lateral movement

4672

Special privileges assigned

Privileged access tracking

4768

Kerberos TGT requested

AS-REP roasting, initial auth

4769

Kerberos service ticket

Kerberoasting, service access

4776

NTLM authentication

Pass-the-Hash, legacy auth

4720

User account created

Persistence, rogue accounts

4732

Member added to group

Privilege escalation

4662

Directory object accessed

DCSync detection

Investigation Workflows

Compromised Account Investigation

Objective: Determine scope of compromise, identify threat actor activity, and contain the account.

Step 1: Initial Triage

Document the alert source, timestamp, and affected account(s)
Check Defender XDR for correlated incidents and alerts
Verify account type: standard user, service account, admin, or privileged
Assess business criticality and data access level

Query Entra ID SigninLogs for last 30 days of activity
Identify anomalous locations, devices, or IP addresses
Check for impossible travel scenarios
Review MFA challenge results and authentication methods
Examine Conditional Access policy evaluations

Step 3: Activity Timeline

Build timeline from first suspicious activity
Query AuditLogs for configuration changes
Check CloudAppEvents for M365 and SaaS activity
Review EmailEvents for mailbox rules and forwarding
Examine OfficeActivity for file access and sharing

Step 4: Lateral Movement Check

Query IdentityLogonEvents for on-prem authentication
Check DeviceLogonEvents for endpoint access
Review SecurityEvent for network logons (Type 3, 10)
Identify accessed systems and potential pivot points

Step 5: Containment Actions

Revoke all refresh tokens via Entra ID
Disable account if active threat confirmed
Reset password and require MFA re-registration
Review and revoke OAuth app consents
Remove any suspicious mailbox rules

Credential Attack Investigation

Objective: Identify credential-based attacks including password spray, brute force, and credential stuffing.

Detection Indicators

High volume of failed authentications from single/multiple IPs
Multiple accounts targeted with same password
Authentication attempts during unusual hours
Legacy protocol usage (POP3, IMAP, SMTP AUTH)
TOR exit node or VPN/proxy IP addresses

Investigation Steps

Aggregate failed sign-ins by IP, user, and error code
Calculate authentication failure rates and patterns
Correlate with successful authentications post-failure
Check IP reputation via threat intelligence
Identify affected accounts requiring password reset
Review Conditional Access to block attack vectors

Kerberos Attack Investigation

Objective: Detect and investigate Kerberoasting, AS-REP Roasting, Pass-the-Ticket, and Golden/Silver Ticket attacks.

Kerberoasting Indicators

Event 4769 with RC4 encryption (0x17) for service tickets
High volume of service ticket requests from single user
Requests for SPNs associated with service accounts
MDI alerts for Kerberos encryption downgrade

Golden/Silver Ticket Indicators

TGT with abnormally long lifetime
Missing or inconsistent PAC data
TGT used without corresponding AS-REQ
Service ticket without prior TGT request

KQL Query Cheat Sheet

let targetUser = "user@domain.com";
SigninLogs
| where TimeGenerated > ago(7d)
| where UserPrincipalName =~ targetUser
| summarize 
    TotalSignIns = count(),
    SuccessCount = countif(ResultType == 0),
    FailureCount = countif(ResultType != 0),
    UniqueIPs = dcount(IPAddress),
    UniqueLocations = dcount(Location),
    UniqueApps = dcount(AppDisplayName)
    by UserPrincipalName
| extend SuccessRate = round(100.0 * SuccessCount / TotalSignIns, 2)

Failed Sign-Ins with Error Details

SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != 0
| summarize 
    FailCount = count(),
    Accounts = make_set(UserPrincipalName, 100)
    by ResultType, ResultDescription, IPAddress
| where FailCount > 10
| sort by FailCount desc

Impossible Travel Detection

SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, Location, IPAddress
| sort by UserPrincipalName, TimeGenerated asc
| serialize
| extend PrevLocation = prev(Location), PrevTime = prev(TimeGenerated), PrevUser = prev(UserPrincipalName)
| where UserPrincipalName == PrevUser and Location != PrevLocation
| extend TimeDiffMinutes = datetime_diff('minute', TimeGenerated, PrevTime)
| where TimeDiffMinutes < 60

Password Spray Detection

Password Spray Pattern Detection

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType in ("50126", "50053", "50055")
| summarize 
    AttemptCount = count(),
    DistinctAccounts = dcount(UserPrincipalName),
    Accounts = make_set(UserPrincipalName, 100)
    by IPAddress, bin(TimeGenerated, 10m)
| where DistinctAccounts > 10 and AttemptCount > 20
| sort by AttemptCount desc

Successful Auth After Spray

let SprayIPs = SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != 0
| summarize FailCount = count() by IPAddress
| where FailCount > 50
| project IPAddress;
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where IPAddress in (SprayIPs)
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, Location

Defender for Identity Queries

Kerberoasting Detection

IdentityQueryEvents
| where Timestamp > ago(24h)
| where ActionType == "SAMR query"
    or QueryType == "ServicePrincipalName"
| summarize 
    QueryCount = count(),
    TargetAccounts = make_set(TargetAccountDisplayName, 50)
    by AccountDisplayName, DeviceName
| where QueryCount > 20

DCSync Detection

IdentityDirectoryEvents
| where Timestamp > ago(7d)
| where ActionType == "Directory Services replication"
| where DestinationDeviceName !contains "DC"
| project Timestamp, AccountDisplayName, DestinationDeviceName, TargetDeviceName

On-Premises AD Queries

NTLM Authentication Analysis

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4776
| extend Status = case(
    Status == "0x0", "Success",
    Status == "0xC000006A", "Bad Password",
    Status == "0xC0000064", "User Not Found",
    "Other")
| summarize Count = count() by TargetAccount, Workstation, Status
| where Count > 50

Suspicious Service Ticket Requests (Kerberoasting)

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769
| where ServiceName !endswith "$"
| where TicketEncryptionType == "0x17"
| summarize 
    RequestCount = count(),
    UniqueServices = dcount(ServiceName)
    by AccountName, IpAddress
| where RequestCount > 10 or UniqueServices > 5

Privileged Group Membership Changes

SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID in (4728, 4732, 4756)
| where TargetUserName in~ (
    "Domain Admins", "Enterprise Admins", "Schema Admins",
    "Administrators", "Account Operators", "Backup Operators")
| project TimeGenerated, EventID, SubjectAccount, MemberName, TargetUserName

Prisma Access Queries

VPN Authentication Anomalies

PaloAltoPrismaAccess
| where TimeGenerated > ago(24h)
| where EventType == "GlobalProtect"
| where Action in ("login-success", "login-fail")
| summarize 
    SuccessCount = countif(Action == "login-success"),
    FailCount = countif(Action == "login-fail")
    by User, SourceIP, Location
| where FailCount > 5

Concurrent Session Detection

PaloAltoPrismaAccess
| where TimeGenerated > ago(1h)
| where EventType == "GlobalProtect" and Action == "login-success"
| summarize 
    SessionCount = count(),
    UniqueIPs = dcount(SourceIP),
    Locations = make_set(Location)
    by User, bin(TimeGenerated, 5m)
| where UniqueIPs > 1

Response Actions & Remediation

Immediate Containment Actions

Scenario

Action

Command/Location

Compromised Cloud Account

Revoke sessions

Entra ID → Users → Revoke Sessions

Active Attack

Disable account

Set-AzureADUser -AccountEnabled $false

Token Theft

Revoke refresh tokens

Revoke-AzureADUserAllRefreshToken

On-Prem Account

Disable AD account

Disable-ADAccount -Identity <user>

Malicious OAuth App

Remove app consent

Remove-AzureADOAuth2PermissionGrant

Golden Ticket

Reset KRBTGT (2x)

Reset-KrbtgtKeyInteractive.ps1

Post-Incident Hardening

Action

Details

Enable MFA

Enforce phishing-resistant MFA (FIDO2, Windows Hello)

Conditional Access

Block legacy authentication, require compliant devices

Password Policy

Implement Azure AD Password Protection, banned password list

Privileged Access

Implement PIM for just-in-time admin access

Service Accounts

Migrate to gMSA, implement credential rotation

Monitoring

Enable Sign-in Risk and User Risk policies in Identity Protection

Quick Reference Cards

Attack Type Quick Identification

Attack Type

Key Indicators

Primary Data Source

Password Spray

Many accounts, few attempts each, same time window

SigninLogs (50126)

Brute Force

Single account, many attempts, sequential

SigninLogs, SecurityEvent 4625

MFA Fatigue

Multiple MFA prompts, user finally approves

SigninLogs (MFA required)

Kerberoasting

Bulk TGS requests, RC4 encryption, service SPNs

SecurityEvent 4769, MDI

Pass-the-Hash

NTLM auth from unusual source, no interactive logon

SecurityEvent 4776, MDI

DCSync

DS replication from non-DC, GetNCChanges

SecurityEvent 4662, MDI

Consent Phishing

OAuth grant to unknown app, excessive permissions

AuditLogs, CloudAppEvents

Entra ID Error Code Reference

Error Code

Description

Investigation Notes

50126

Invalid username or password

Common in spray attacks

50053

Account locked

Result of brute force

50074

MFA required

Check if followed by success

50076

MFA denied

User rejected - may indicate awareness

53003

Blocked by CA policy

CA working correctly

50158

External security challenge

Third-party MFA in use

50140

Keep me signed in interrupt

Normal behavior

50097

Device authentication required

Device compliance check

Escalation Matrix

Severity Classification

Severity

Criteria

Response Time

🔴 Critical

Domain Admin compromise, Golden Ticket, active data exfiltration

Immediate - 15 min response

🟠 High

Privileged account compromise, lateral movement detected

30 min - 1 hour response

🟡 Medium

Standard user compromise, ongoing password spray

4 hour response

🟢 Low

Failed attack attempts, reconnaissance activity

Next business day

Escalation Path

Tier

Responsibility

Tier 1 SOC

Initial triage, alert validation, basic containment

Tier 2 SOC

Deep investigation, advanced hunting, incident coordination

DFIR Team

Forensic analysis, malware analysis, evidence preservation

Identity Team

AD/Entra configuration changes, KRBTGT reset

CISO/Security Leadership

Critical severity incidents, breach notification decisions

Documentation Requirements

All identity incidents must include:

Initial detection timestamp and alert source
Affected account(s) and account type(s)
Attack vector and techniques (MITRE ATT&CK mapping)
Timeline of attacker activity
Systems accessed and potential data exposure
Containment actions taken with timestamps
Evidence preserved (logs, screenshots, exports)
Remediation actions and hardening recommendations

MITRE ATT&CK Mapping

Tactic

Technique

Detection

Initial Access

Valid Accounts

T1078

SigninLogs

Credential Access

Brute Force

T1110

4625, SigninLogs

Credential Access

Kerberoasting

T1558.003

4769, MDI

Credential Access

DCSync

T1003.006

4662, MDI

Lateral Movement

Pass the Hash

T1550.002

4776, MDI

Lateral Movement

Pass the Ticket

T1550.003

4768/4769, MDI

Persistence

Golden Ticket

T1558.001

4768, MDI

Persistence

Application Access Token

T1550.001

AuditLogs

Defense Evasion

Modify Authentication Process

T1556

AuditLogs, 4657

Appendix: PowerShell Commands

Entra ID / Azure AD (Microsoft Graph)

# Get user sign-in activity
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@domain.com'" -Top 100

# Revoke all sessions
Revoke-MgUserSignInSession -UserId "user@domain.com"

# Get user's OAuth consent grants
Get-MgUserOauth2PermissionGrant -UserId "user@domain.com"

# Remove OAuth grant
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId "<grant-id>"

# Check user risk state
Get-MgRiskyUser -Filter "userPrincipalName eq 'user@domain.com'"

# Get user's authentication methods
Get-MgUserAuthenticationMethod -UserId "user@domain.com"

# Force password change on next login
Update-MgUser -UserId "user@domain.com" -PasswordProfile @{ForceChangePasswordNextSignIn = $true}

On-Premises Active Directory

# Get account lockout status
Get-ADUser -Identity username -Properties LockedOut, LastBadPasswordAttempt, BadPwdCount

# Unlock account
Unlock-ADAccount -Identity username

# Check group membership
Get-ADPrincipalGroupMembership -Identity username | Select Name

# Get recent logon events
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 100

# Find service accounts with SPNs (Kerberoasting targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Get users with Kerberos pre-auth disabled (AS-REP Roasting targets)
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth

# Find recently created accounts
Get-ADUser -Filter {Created -gt $((Get-Date).AddDays(-7))} -Properties Created | Select Name, Created

# Check AdminSDHolder protected accounts
Get-ADUser -Filter {AdminCount -eq 1} -Properties AdminCount, MemberOf

Microsoft Graph API (REST)

# Get sign-ins for a user
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq 'user@domain.com'

# Get risky sign-ins
GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers

# Revoke sign-in sessions
POST https://graph.microsoft.com/v1.0/users/{id}/revokeSignInSessions

# Get audit logs
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=initiatedBy/user/userPrincipalName eq 'user@domain.com'

# Get OAuth2 permission grants
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=principalId eq '{user-id}'

Note: This runbook should be reviewed and updated regularly or after significant incidents to incorporate lessons learned and emerging attack techniques.

PreviousRunbooks NextMalware Attack Investigation Runbook

Last updated 2 months ago

hashtagSOC & DFIR Operations Guide

hashtagOverview & Scope

hashtagIdentity Attack Categories

hashtagDetection Sources & Data Mapping

hashtagLog Sources Matrix

hashtagCritical Windows Event IDs

hashtagInvestigation Workflows

hashtagCompromised Account Investigation

hashtagStep 1: Initial Triage

hashtagStep 2: Sign-In Analysis

hashtagStep 3: Activity Timeline

hashtagStep 4: Lateral Movement Check

hashtagStep 5: Containment Actions

hashtagCredential Attack Investigation

hashtagDetection Indicators

hashtagInvestigation Steps

hashtagKerberos Attack Investigation

hashtagKerberoasting Indicators

hashtagGolden/Silver Ticket Indicators

hashtagKQL Query Cheat Sheet

hashtagEntra ID Sign-In Analysis

hashtagUser Sign-In Summary (Last 7 Days)

hashtagFailed Sign-Ins with Error Details

hashtagImpossible Travel Detection

hashtagPassword Spray Detection

hashtagPassword Spray Pattern Detection

hashtagSuccessful Auth After Spray

hashtagDefender for Identity Queries

hashtagKerberoasting Detection

hashtagDCSync Detection

hashtagOn-Premises AD Queries

hashtagNTLM Authentication Analysis

hashtagSuspicious Service Ticket Requests (Kerberoasting)

hashtagPrivileged Group Membership Changes

hashtagPrisma Access Queries

hashtagVPN Authentication Anomalies

hashtagConcurrent Session Detection

hashtagResponse Actions & Remediation

hashtagImmediate Containment Actions

hashtagPost-Incident Hardening

hashtagQuick Reference Cards

hashtagAttack Type Quick Identification

hashtagEntra ID Error Code Reference

hashtagEscalation Matrix

hashtagSeverity Classification

hashtagEscalation Path

hashtagDocumentation Requirements

hashtagMITRE ATT&CK Mapping

hashtagAppendix: PowerShell Commands

hashtagEntra ID / Azure AD (Microsoft Graph)

hashtagOn-Premises Active Directory

hashtagMicrosoft Graph API (REST)

SOC & DFIR Operations Guide

Overview & Scope

Identity Attack Categories

Detection Sources & Data Mapping

Log Sources Matrix

Critical Windows Event IDs

Investigation Workflows

Compromised Account Investigation

Step 1: Initial Triage

Step 2: Sign-In Analysis

Step 3: Activity Timeline

Step 4: Lateral Movement Check

Step 5: Containment Actions

Credential Attack Investigation

Detection Indicators

Investigation Steps

Kerberos Attack Investigation

Kerberoasting Indicators

Golden/Silver Ticket Indicators

KQL Query Cheat Sheet

Entra ID Sign-In Analysis

User Sign-In Summary (Last 7 Days)

Failed Sign-Ins with Error Details

Impossible Travel Detection

Password Spray Detection

Password Spray Pattern Detection

Successful Auth After Spray

Defender for Identity Queries

Kerberoasting Detection

DCSync Detection

On-Premises AD Queries

NTLM Authentication Analysis

Suspicious Service Ticket Requests (Kerberoasting)

Privileged Group Membership Changes

Prisma Access Queries

VPN Authentication Anomalies

Concurrent Session Detection

Response Actions & Remediation

Immediate Containment Actions

Post-Incident Hardening

Quick Reference Cards

Attack Type Quick Identification

Entra ID Error Code Reference

Escalation Matrix

Severity Classification

Escalation Path

Documentation Requirements

MITRE ATT&CK Mapping

Appendix: PowerShell Commands

Entra ID / Azure AD (Microsoft Graph)

On-Premises Active Directory

Microsoft Graph API (REST)