AZT203 - Malicious Application Consent

An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.

Resource

Azure Active Directory

Actions

Any user can consent to an application which will impersonate that user's privileges.

Examples

N/A

Detections

Logs

Data Source	Application	Resource	Log Provider
Azure Active Directory	N/A	AAD	AuditLogs

Detection Details

Please review the incident response playbooks in the 'Additional Resources' section below.

Queries

Platform	Query
Log Analytics	AuditLogs | where ActivityDisplayName == "Consent to application"

Azure Monitor Alert

Additional Resources

• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-compromised-malicious-app

• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-app-consent