Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
The query looks for users or service principals that attached an uncommon credential type to application. As part of the Nobelium campaign, the attacker added credentials to already existing applications and used the application permissions to extract users' mails. See How to: Use the portal to create an Microsoft Entra ID application and service principal that can access resources. Reference - https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 63a191f4-a0ad-4ed7-b994-24ffc89b3596 |
| Tactics | Privilege escalation |
| Required Connectors | MicrosoftThreatProtection |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Privilege%20escalation/Add%20uncommon%20credential%20type%20to%20application%20%5BNobelium%5D.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊