Listen to this Post
Introduction:
The Midnight Blizzard cyberattack against Microsoft serves as a critical case study in advanced Entra ID (Azure AD) compromise. Threat actors demonstrated sophisticated lateral movement and privilege escalation techniques entirely within the cloud identity layer, bypassing traditional perimeter defenses. This article deconstructs the attack flow and provides actionable commands and detection strategies to fortify your own environment.
Learning Objectives:
- Understand the key attack vectors, including credential theft and application abuse, used in the Entra ID compromise.
- Learn to deploy advanced hunting queries and audit policies to detect similar attack patterns.
- Implement hardening measures for service principals, user consent, and monitoring to mitigate future threats.
You Should Know:
1. Hunting for Suspicious Service Principal Credential Adds
The addition of credentials (like certificates or secrets) to a service principal is a key persistence technique. The following Kusto Query Language (KQL) query for Microsoft Defender for Cloud Apps or Azure Activity Logs hunts for this activity.
AuditLogs | where OperationName == "Add service principal credentials" | where Result == "success" | extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName) | extend TargetServicePrincipal = tostring(TargetResources[bash].displayName) | project TimeGenerated, OperationName, InitiatedBy, TargetServicePrincipal, Result
Step-by-step guide:
This query filters the audit log for successful “Add service principal credentials” operations. It projects the timestamp, operation, the user who performed the action, and the target service principal. Run this in your Azure Sentinel or Microsoft 365 Defender workspace. Investigate any credential additions not tied to a documented, approved automation process, especially those performed by user accounts instead of dedicated deployment pipelines.
2. Detecting Abnormal Application Consent Grants
Attackers often grant excessive permissions to a malicious application. This KQL query identifies high-risk consent grants.
AuditLogs | where OperationName == "Consent to application" | where Result == "success" | extend ConsentType = tostring(TargetResources[bash].modifiedProperties[bash].newValue) | extend AppDisplayName = tostring(TargetResources[bash].displayName) | extend Permissions = tostring(TargetResources[bash].modifiedProperties[bash].newValue) | where ConsentType == "AllPrinciples" // Indicates admin-level consent | project TimeGenerated, OperationName, InitiatedBy = tostring(InitiatedBy.user.userPrincipalName), AppDisplayName, Permissions
Step-by-step guide:
This query searches for successful application consent events, specifically filtering for “AllPrinciples” consent, which applies to the entire tenant. The output shows which user granted admin consent, the application name, and the permissions granted. Regularly review these logs and correlate them with a known catalog of approved enterprise applications. Any unexpected grant, particularly for high-privilege roles like `Directory.ReadWrite.All` or Mail.ReadWrite, should be treated as a high-severity incident.
3. Enforcing Conditional Access Policies with Device Compliance
A core mitigation is to require compliant devices for accessing sensitive cloud applications. This PowerShell command retrieves the current Conditional Access policies for review.
Get-MgIdentityConditionalAccessPolicy
Step-by-step guide:
Using the Microsoft Graph PowerShell module, this cmdlet lists all existing Conditional Access policies. To create a new policy that blocks access from non-compliant devices, you would use the `New-MgIdentityConditionalAccessPolicy` cmdlet. The policy should target key applications like “Microsoft Azure Management” and “Office 365” and set the grant controls to “Require device to be marked as compliant” and “Require multi-factor authentication”. This ensures that even with stolen credentials, access is blocked from unmanaged devices.
4. Auditing Service Principals and Their Permissions
Knowing what permissions your service principals have is crucial. This PowerShell command lists all service principals and their assigned app roles.
Get-MgServicePrincipal -All | Select-Object DisplayName, AppId, ServicePrincipalType | ForEach-Object {
$sp = $_
$roles = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id
if ($roles) {
[bash]@{
DisplayName = $sp.DisplayName
AppId = $sp.AppId
Type = $sp.ServicePrincipalType
Permissions = ($roles | Select-Object -ExpandProperty AppRoleId) -join ","
}
}
}
Step-by-step guide:
This script iterates through all service principals in the tenant and checks for any application role assignments. It outputs the service principal’s name, ID, type (ManagedIdentity or Application), and a list of its permission IDs. Run this script periodically to establish a baseline and hunt for service principals with excessive or unusual permissions, such as RoleManagement.ReadWrite.Directory, which allows for privilege escalation.
5. Investigating Sign-Ins from Unusual Locations
Lateral movement often involves sign-ins from new, suspicious locations. This KQL query identifies sign-ins from countries not associated with the user’s typical behavior.
SigninLogs
| where ResultType == "0"
| where LocationDetails.countryOrRegion !in ("United States", "United Kingdom") // Adjust allowed countries
| extend UserAgent = tostring(DeviceDetail.browser)
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, LocationDetails.countryOrRegion, UserAgent, ResultDescription
Step-by-step guide:
This query filters successful sign-ins (ResultType == "0") that originate from outside a defined list of expected countries. It returns the user, the application accessed, the source IP, and the country. Integrate this query into a scheduled hunting rule to alert on impossible travel scenarios or access from high-risk geographic locations not typical for your organization.
6. Disabling Legacy Authentication Protocols
Legacy auth (like POP3, SMTP, IMAP) often bypasses MFA and is a favorite target for password spray attacks. Use this Exchange Online PowerShell command to check your organization’s policy.
Get-OrganizationConfig | Format-List DefaultAuthenticationPolicy, LegacyAuthProtocolsEnabled
Step-by-step guide:
This command shows the organization-wide settings for legacy authentication. To disable it, you should create and assign a new authentication policy that blocks these protocols using `New-AuthenticationPolicy` and Set-AuthenticationPolicy. Then, assign it to users with Set-User -AuthenticationPolicy "Block Legacy Auth". This significantly reduces the attack surface for credential-based attacks.
7. Enabling Unified Audit Logging for Advanced Hunting
Without comprehensive logging, detection is impossible. This PowerShell command ensures the Unified Audit Log is activated for your Microsoft 365 tenant.
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
Step-by-step guide:
If the `UnifiedAuditLogIngestionEnabled` property is False, you must enable it to begin collecting the logs necessary for the KQL queries above. Use the Microsoft 365 Compliance Center or PowerShell to enable it. This log is the primary data source for hunting malicious activity across Entra ID, Exchange, SharePoint, and other services, and it typically retains data for 90 days by default. Enabling it is a foundational step for any detection and response program.
What Undercode Say:
- Identity is the new perimeter, and Entra ID is the keys to the kingdom. Midnight Blizzard proves that nation-state actors will exploit any misconfiguration or weak audit policy with surgical precision.
- Proactive hunting is no longer optional. Relying solely on automated alerts means you are only seeing what your tools are configured to see, leaving you blind to novel attack chains that stitch together “low-risk” events into a catastrophic breach.
The analysis of the Midnight Blizzard incident reveals a critical shift in the threat landscape. Attacks are increasingly “identity-native,” operating with a deep understanding of cloud identity systems like Entra ID. Defenders must match this sophistication by moving beyond basic MFA and compliance policies. The core lesson is that visibility is paramount; without granular audit logging and the analytical capability to parse it, an organization remains vulnerable to determined adversaries who know how to fly under the radar of default security settings. Building a resilient defense requires assuming breach and continuously hunting for the subtle artifacts of lateral movement and privilege escalation that define modern cloud intrusions.
Prediction:
The techniques demonstrated by Midnight Blizzard will be rapidly adopted by lower-tier APT groups and sophisticated cybercriminal gangs within the next 12-18 months. This will lead to a surge in cloud identity-centric breaches, forcing a industry-wide re-evaluation of service principal security and the default trust models within cloud platforms. In response, we will see the accelerated development and adoption of AI-driven identity threat detection and response (ITDR) solutions designed to baseline normal service principal behavior and flag anomalies, making identity logging and monitoring as critical as network security.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Wojciechlesicki Konrad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
