EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlTTP

Account Enabled (Microsoft Defender for Identity)

Detects when a previously disabled user account is re‑enabled in Active Directory. While this may be part of normal administrative activity, it can also indicate an attempt to restore access to an account for unauthorized use and should be reviewed. Detects when a previously disabled user account is re‑enabled in Active Directory. While this may be part of normal administrative activity, it can also indicate an attempt to restore access to an account for unauthorized use and should be reviewed.

MITRE ATT&CK

T1078
initial-accesspersistenceprivilege-escalationdefense-evasion

Detection Query

#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityDirectoryEvents"
| event.action = "account enabled"
| #event.outcome = "success"
| table([@timestamp,user.name,user.target.name,Vendor.properties.AccountUpn,Vendor.properties.TargetAccountUpn])

Author

Kundan Kumar

Data Sources

Identity

Tags

Detectioncs_module:Identity
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Account Enabled (Microsoft Defender for Identity)

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1078

# Description of what the query does and its purpose.
description: |
  Detects when a previously disabled user account is re‑enabled in Active Directory. While this may be part of normal administrative activity, it can also indicate an attempt to restore access to an account for unauthorized use and should be reviewed.

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor = "microsoft"
  | #event.module = "defender-identity"
  | Vendor.category = "AdvancedHunting-IdentityDirectoryEvents"
  | event.action = "account enabled"
  | #event.outcome = "success"
  | table([@timestamp,user.name,user.target.name,Vendor.properties.AccountUpn,Vendor.properties.TargetAccountUpn])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Detects when a previously disabled user account is re‑enabled in Active Directory. While this may be part of normal administrative activity, it can also indicate an attempt to restore access to an account for unauthorized use and should be reviewed.