What Changed
Added three hunting queries targeting identity boundary expansion techniques in Entra ID that shift permission surfaces without creating new accounts or directly adding credentials.
Detection Logic
Guest User Type Changed to Member (T1098): Detects “Update user” events where UserType changes from Guest to Member, granting full tenant membership including access to internal resources and SharePoint sites that exclude guests. Rare operation requiring correlation against help desk records.
Service Principal Owner Added (T1098.001): Detects “Add owner to service principal” events that grant full credential management rights. SP ownership enables adding passwords or certificates without triggering separate credential-addition alerts — documented precursor in Midnight Blizzard-style persistence chains.
OAuth Application Redirect URI Modified (T1528): Detects “Update application” events where ReplyUrls field changes. Adding attacker-controlled redirect URIs to trusted app registrations allows OAuth authorization code interception without requiring new app registration, bypassing first-seen-app detections.
MITRE Mapping
- T1098 (Account Manipulation): Guest-to-member type conversion
- T1098.001 (Additional Cloud Credentials): Service principal ownership for credential access
- T1528 (Steal Application Access Token): OAuth redirect URI manipulation for token theft
Primary data source: AuditLogs table with exact OperationName matching and direct InitiatedBy field access. Entity types mapped: Account, IP address.
Affected Files
Hunting Queries/AuditLogs/ApplicationRedirectUriModified.yaml
Hunting Queries/AuditLogs/GuestUserTypeChangedToMember.yaml
Hunting Queries/AuditLogs/ServicePrincipalOwnerAdded.yaml