Entra ID Account Takeover: Three-Query Hunting Pack for Post-Compromise Detection

What Changed

Added comprehensive hunting pack with three queries targeting Entra ID account takeover techniques, covering initial access through post-compromise persistence patterns.

Detection Coverage

1. Device Code Authentication from Unseen ASN

Data source: SigninLogs
Logic: Detects successful device code flow sign-ins from autonomous system numbers not seen for the target user in the preceding 30 days.
Threat: Device code phishing attacks used by Midnight Blizzard - attacker initiates OAuth flow and tricks target into completing authentication.

2. New Service Principal Granted Admin Consent

Data source: AuditLogs
Logic: Correlates service principal creation with admin consent or app role assignment within 1-hour window for the same SP.
Threat: Post-compromise persistence pattern where attacker with Application Administrator rights creates malicious app and immediately grants tenant-wide permissions.

3. Bulk Password Reset by Actor

Data source: AuditLogs
Logic: Identifies single actor resetting passwords for 3+ distinct accounts within one hour.
Threat: Attacker with User Administrator or Helpdesk privileges performing bulk resets before activity triggers alerts.

Security Impact

These queries fill detection gaps in Entra ID account takeover scenarios by:

• Reducing dependencies: Uses standard Azure AD connector data vs. M365 Defender requirements
• Correlation-based detection: Links creation and consent events for SP persistence
• Behavioral patterns: Identifies bulk administrative actions indicating compromise

All three queries target documented attack patterns from NOBELIUM/Midnight Blizzard intrusions with low false positive rates.

MITRE Mapping

• T1528 (Steal Application Access Token) - Device code phishing and malicious app consent
• T1078.004 (Cloud Accounts) - Compromised cloud account abuse
• T1098 (Account Manipulation) - Password resets for takeover
• T1098.003 (Additional Cloud Roles) - Service principal privilege grants

Affected Files

Hunting Queries/AuditLogs/BulkPasswordResetByActor.yaml
Hunting Queries/AuditLogs/NewServicePrincipalGrantedAdminConsent.yaml
Hunting Queries/MultipleDataSources/DeviceCodeSignInFromUnseenASN.yaml