What Changed
Three new Entra ID hunting queries added targeting post-compromise credential staging and account persistence patterns observed in Midnight Blizzard campaigns.
Detection Coverage
Service Principal Credential Addition with Immediate Sign-In
- Data Sources: AuditLogs, AADServicePrincipalSignInLogs
- Logic: Correlates credential additions to service principals with sign-ins within 30 minutes
- Entity Mapping: CloudApplication, IP
- Gap Addressed: Complements existing dormant SP queries by removing dormancy requirement — active SPs can also be compromised
Privileged Role Assignment to New Accounts
- Data Source: AuditLogs
- Logic: Identifies accounts receiving privileged directory roles within 24 hours of creation
- Target Roles: Global Admin, Privileged Role Admin, Application Admin, Cloud App Admin, Exchange Admin, SharePoint Admin, User Account Admin, Authentication Admin, Security Admin, Hybrid Identity Admin
- Entity Mapping: Account, IP
Temporary Access Pass Creation
- Data Source: AuditLogs
- Logic: Identifies TAP creation events that allow passwordless authentication and MFA bypass
- Entity Mapping: Account, IP
- Risk: TAP creation outside controlled onboarding indicates potential account takeover staging
MITRE Mapping
- T1098.001: Account Manipulation - Additional Cloud Credentials
- T1098.003: Account Manipulation - Additional Cloud Roles
- T1136.003: Create Account - Cloud Account
- T1528: Steal Application Access Token
- T1556.006: Modify Authentication Process - Multi-Factor Authentication
- T1098: Account Manipulation (general)
Operational Notes
All queries use proper let timeframe declarations, in~ operators for case-insensitive matching, and direct dot notation for InitiatedBy field access. The service principal query specifically addresses join key accuracy by filtering only on operations that return the SP object ID rather than Application object ID.
Affected Files
Hunting Queries/AuditLogs/PrivilegedRoleAssignedToNewAccount.yaml
Hunting Queries/AuditLogs/TemporaryAccessPassCreatedForUser.yaml
Hunting Queries/MultipleDataSources/ServicePrincipalCredentialAddedThenSignedIn.yaml