Query Details
HQ 006 Guest User Privilege Escalation
Query
// =========================================================================
// HQ-006: External / Guest User Receiving Group or Role Membership
// =========================================================================
// Description : Entra ID guests (UPN contains #EXT#) should rarely receive
// sensitive group or role memberships. Post-compromise actors
// and insider threats escalate privileges by adding external
// accounts to high-privilege groups. This query hunts for
// such assignments to facilitate triage.
// MITRE ATT&CK: TA0004 Privilege Escalation
// T1078.004 – Valid Accounts: Cloud Accounts
// Tools : Manual attacker action, AADInternals, MicroBurst
// Severity : High
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================
AuditLogs
| where TimeGenerated > ago(7d)
| where ActivityDisplayName in (
"Add member to group",
"Add member to role",
"Add eligible member to role",
"Add app role assignment grant to user")
| extend TargetUserDisplayName = tostring(TargetResources[0].displayName)
| extend TargetUserUPN = tostring(TargetResources[0].userPrincipalName)
| extend TargetUserId = tostring(TargetResources[0].id)
| extend GroupOrRole = tostring(TargetResources[1].displayName)
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
// Guest accounts use the #EXT# convention in their UPN
| where TargetUserUPN has "#EXT#"
or TargetUserDisplayName has "(Guest)"
| where Result == "success"
| project
TimeGenerated,
Actor,
TargetUserDisplayName,
TargetUserUPN,
GroupOrRole,
ActivityDisplayName,
LoggedByService,
CorrelationId
| order by TimeGenerated desc
Explanation
This query is designed to identify instances where external or guest users in Azure Active Directory (AAD) are added to groups or roles, which could potentially indicate a security risk. Here's a simplified breakdown:
-
Purpose: The query aims to detect when guest users (identified by "#EXT#" in their User Principal Name or "(Guest)" in their display name) are granted membership in sensitive groups or roles. This is important because such actions could be used by attackers to escalate privileges.
-
Data Source: It uses the
AuditLogsfrom Azure Active Directory to track these activities. -
Time Frame: The query looks at activities from the past 7 days.
-
Activities Monitored: It focuses on specific actions like adding a member to a group or role, or assigning an app role to a user.
-
Filtering:
- It filters for successful operations where the target user is a guest.
- It checks for activities initiated by either a user or an application.
-
Output: The query outputs details such as the time of the activity, who initiated it, the guest user's display name and UPN, the group or role they were added to, the type of activity, the service that logged the activity, and a correlation ID for tracking.
-
Order: The results are sorted by the time the activity was generated, in descending order, so the most recent activities appear first.
This query is a proactive measure to help identify and triage potential security threats related to privilege escalation involving guest accounts.
Details
David Alonso
Released: April 6, 2026
Tables
Keywords
Operators