Query Details
New Authentication App Detected
Query
# New Authentication App Detected ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1078.004 | Valid Accounts: Cloud Accounts | https://attack.mitre.org/techniques/T1078/004 | #### Description Detect a new app that is used to send authentication request to your tenant. The authentication requests do not have to be succesful. The app can eighter be an internal app, then the AppID is filled, if that is not the case then it is a external app. A false positive is a new app that is used within your organization. #### Risk A malicious actor installs a malicious app in your environment. This app can then be used for malicious purposes, depending on the priviliges that the app has. Such as AD Recon, collecting tokens or internal spearphishing. #### References - https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes - https://www.varonis.com/blog/using-malicious-azure-apps-to-infiltrate-a-microsoft-365-tenant - https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-compromised-malicious-app - https://www.lares.com/blog/malicious-azure-ad-application-registrations/ ## Defender For Endpoint ``` let KnownApps = AADSignInEventsBeta // Adjust the timerange depending on the retention period | where Timestamp between (ago(30d) .. ago(2d)) | distinct Application; AADSignInEventsBeta | where Timestamp > ago(2d) | where not(Application in~ (KnownApps)) // If the AppID is empty then it is a third party App. | extend IsExternalApp = iff(isempty(ApplicationId), "True", "False") | project-reorder IsExternalApp, Application, AccountObjectId, IPAddress, ClientAppUsed // For ResultType Reference see: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes ``` ## Sentinel ``` let KnownApps = SigninLogs // Adjust the timerange depending on the retention period | where TimeGenerated between (ago(90d) .. ago(2d)) | distinct AppDisplayName; SigninLogs | where TimeGenerated > ago(2d) | where not(AppDisplayName in~ (KnownApps)) // If the AppID is empty then it is a third party App. | extend IsExternalApp = iff(isempty(AppId), "True", "False") | project-reorder IsExternalApp, AppDisplayName, Identity, IPAddress, ClientAppUsed // For ResultType Reference see: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes ```
Explanation
The query is designed to detect a new app that is used to send authentication requests to your system. The app can be either an internal app or an external app. If it is an internal app, the AppID will be filled, and if it is an external app, the AppID will be empty. The query identifies any new apps that are not already known and flags them as potential threats. The risk is that a malicious actor could install a malicious app in your environment, which could be used for various malicious purposes such as AD Recon, collecting tokens, or internal spearphishing. The query is used in both Defender for Endpoint and Sentinel to monitor and detect these new apps.
Details
Bert-Jan Pals
Released: June 7, 2023
Tables
AADSignInEventsBetaSigninLogs
Keywords
Devices,Intune,User,Authentication,App,Tenant,Internal,External,FalsePositive,MaliciousActor,Privileges,ADRecon,Tokens,InternalSpearphishing,Microsoft365,AzureAD,Application,Registration,DefenderForEndpoint,Sentinel,AADSignInEventsBeta,AADSTSErrorCodes,SigninLogs
Operators
letwherebetweenagodistinctextendiffisemptyproject-reorderin~