Entra ID Authentication Anomalies: Advanced Hunting for Privilege Abuse and Defense Evasion

What Changed

Added advanced hunting pack with three queries targeting sophisticated Entra ID authentication anomalies and privilege abuse patterns often missed by standard detections.

Detection Coverage

1. Privileged Account Legacy Authentication Sign-In

Data sources: SigninLogs, AuditLogs
Logic: Detects directory role holders signing in via legacy protocols (SMTP Auth, IMAP4, MAPI over HTTP, EWS) that bypass Conditional Access MFA, correlated with high-impact operations within one hour.
Threat: Credential theft targeting privileged accounts through legacy authentication channels that evade MFA requirements.

2. Guest Account Privileged Operation

Data sources: SigninLogs, AuditLogs
Logic: Identifies B2B guest accounts acting as initiators of high-impact operations - role assignments, service principal credentials, policy changes.
Threat: Compromised B2B guest accounts used for lateral movement and persistence, complementing existing queries that only detect guests as targets.

3. Password Reset Then Privileged Operation

Data source: AuditLogs
Logic: Detects accounts performing privileged operations within 30 minutes of having their password reset by a different actor, using cross-actor correlation to exclude self-service flows.
Threat: Post-compromise persistence where attacker resets account passwords to obscure attribution before establishing persistence.

Security Impact

These queries address advanced attack patterns by:

• Defense evasion detection: Legacy auth protocols bypassing Conditional Access controls
• Lateral movement: Guest account compromise for cross-tenant privilege escalation
• Timeline correlation: Linking password reset events with subsequent privileged actions

The 90-day baseline for role holder identification ensures detection of privileges assigned weeks or months prior, not just recent assignments.

MITRE Mapping

• T1078.004 (Cloud Accounts) - Valid account abuse across all three patterns
• T1562.001 (Disable Security Tools) - Legacy auth bypassing MFA controls
• T1098 (Account Manipulation) - Password resets for takeover
• T1098.001 (Additional Cloud Credentials) - Service principal credential manipulation
• T1098.003 (Additional Cloud Roles) - Role assignment abuse

Affected Files

Hunting Queries/AuditLogs/PasswordResetThenPrivilegedOperation.yaml
Hunting Queries/MultipleDataSources/GuestAccountPrivilegedOperation.yaml
Hunting Queries/MultipleDataSources/PrivilegedAccountLegacyAuthSignIn.yaml