Skip to content

AZT203 - Malicious Application Consent#

An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.

Resource

Azure Active Directory

Actions

Any user can consent to an application which will impersonate that user's privileges.

Examples

N/A

Detections

Logs#

Data Source Application Resource Log Location
Azure Active Directory N/A AAD Log Analytics

Queries#

AuditLogs| where ActivityDisplayName == "Consent to application"

Detection Details#

Please review the incident response playbooks in the 'Additional Resources' section below.