HQ 006 Guest User Privilege Escalation
Query
// =========================================================================
// HQ-006: External / Guest User Receiving Group or Role Membership
// =========================================================================
// Description : Entra ID guests (UPN contains #EXT#) should rarely receive
// sensitive group or role memberships. Post-compromise actors
// and insider threats escalate privileges by adding external
// accounts to high-privilege groups. This query hunts for
// such assignments to facilitate triage.
// MITRE ATT&CK: TA0004 Privilege Escalation
// T1078.004 – Valid Accounts: Cloud Accounts
// Tools : Manual attacker action, AADInternals, MicroBurst
// Severity : High
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================
AuditLogs
| where TimeGenerated > ago(7d)
| where ActivityDisplayName in (
"Add member to group",
"Add member to role",
"Add eligible member to role",
"Add app role assignment grant to user")
| extend TargetUserDisplayName = tostring(TargetResources[0].displayName)
| extend TargetUserUPN = tostring(TargetResources[0].userPrincipalName)
| extend TargetUserId = tostring(TargetResources[0].id)
| extend GroupOrRole = tostring(TargetResources[1].displayName)
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
// Guest accounts use the #EXT# convention in their UPN
| where TargetUserUPN has "#EXT#"
or TargetUserDisplayName has "(Guest)"
| where Result == "success"
| project
TimeGenerated,
Actor,
TargetUserDisplayName,
TargetUserUPN,
GroupOrRole,
ActivityDisplayName,
LoggedByService,
CorrelationId
| order by TimeGenerated descExplanation
This query is designed to identify instances where external or guest users in Azure Active Directory (AAD) are added to groups or roles, which could indicate a potential security risk. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to detect when guest users (identified by "#EXT#" in their User Principal Name or marked as "(Guest)" in their display name) are granted membership in sensitive groups or roles. This is important because such actions can be used by attackers or insider threats to escalate privileges.
-
Data Source: It uses the
AuditLogsfrom Azure Active Directory to track these activities. -
Time Frame: It looks at logs from the past 7 days.
-
Activities Monitored: The query checks for specific activities such as adding a member to a group or role, or granting app role assignments to users.
-
Filtering Criteria:
- It focuses on successful operations where the target user is a guest.
- It extracts relevant details like the display name, UPN (User Principal Name), and ID of the target user, as well as the group or role they were added to.
- It also captures who initiated the action, whether it was a user or an application.
-
Output: The results are sorted by the time the action was generated, showing details like the time of the action, who performed it, the guest user involved, the group or role affected, and other relevant information.
This query helps security teams quickly identify and respond to potentially unauthorized privilege escalations involving guest users.
