OAuth application redirect URI modified

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Identifies modifications to OAuth application redirect URIs in Entra ID. Adding a redirect URI controlled by an attacker allows interception of OAuth authorization codes, enabling token theft from users who authenticate against the application.

Attribute	Value
Type	Hunting Query
Solution	Standalone Content
ID	32cf350a-01f8-4c84-9e47-4302e275eda3
Tactics	Persistence, CredentialAccess
Techniques	T1528
Required Connectors	AzureActiveDirectory
Source	[View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/ApplicationRedirectUriModified.yaml)

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries