Entra ID Attack Chain Detection: 5 New Hunting Queries Target Application Layer Persistence

What Changed

Five new hunting queries targeting Entra ID application layer attacks have been added under Hunting Queries/AuditLogs/. This pack detects a complete adversary workflow where attackers with privileged Entra ID access establish persistence, escalate privilege, and remove defenses.

Detection Surface Unlocked

All queries use AuditLogs exclusively, requiring only the Azure Active Directory data connector with no Entra ID P2 or Defender XDR licensing requirements.

Query Coverage

1. OAuthConsentToHighRiskPermission — Identifies consent events where newly observed applications receive high-risk delegated permissions (Mail.ReadWrite, Directory.ReadWrite.All, EWS.AccessAsUser.All, etc.). Targets canonical consent phishing patterns.

2. AdminConsentGrantedToApplication — Surfaces tenant-wide OAuth consent grants identified by AllPrincipals principal type. Admin consent persists beyond password resets because permissions bind to service principals, not user sessions.

3. AppRegistrationWithExternalRedirectUri — Detects application registrations with redirect URIs pointing to non-Microsoft domains. Attackers add attacker-controlled URIs to intercept authorization codes.

4. GuestAccountAddedToPrivilegedRole — Identifies guest accounts (UPN contains #EXT#) added to privileged roles including Global Administrator, Security Administrator, and Application Administrator.

5. ConditionalAccessPolicyDisabledOrDeleted — Surfaces CA policy deletions and enabled-to-disabled transitions. Attackers disable policies to remove MFA requirements and device compliance checks.

MITRE Mapping

• T1528 (Steal Application Access Token) — OAuth consent abuse and redirect URI manipulation
• T1098 (Account Manipulation) — Admin consent grants for persistence
• T1098.003 (Additional Cloud Roles) — Guest account privilege escalation
• T1556 (Modify Authentication Process) — CA policy manipulation
• T1562.001 (Disable or Modify Tools) — CA policy disablement

Attack Context

This detection pack maps to documented TTPs from Midnight Blizzard and Storm-0558 campaigns where adversaries used OAuth applications and admin consent to maintain persistent access to Microsoft 365 environments after initial compromise. The queries complement existing detections by filtering on specific risk signals: application novelty, privilege scope, and tenant-wide grants.

Affected Files

Hunting Queries/AuditLogs/AdminConsentGrantedToApplication.yaml
Hunting Queries/AuditLogs/AppRegistrationWithExternalRedirectUri.yaml
Hunting Queries/AuditLogs/ConditionalAccessPolicyDisabledOrDeleted.yaml
Hunting Queries/AuditLogs/GuestAccountAddedToPrivilegedRole.yaml
Hunting Queries/AuditLogs/OAuthConsentToHighRiskPermission.yaml