Listen to this Post
Microsoft has integrated OAuth apps into Exposure Management in Defender XDR, enhancing security visibility and control. The new attack path feature visualizes how attackers could exploit OAuth apps for lateral movement within an organization to access critical SaaS applications.
Key Features:
- Applications Page: Provides comprehensive visibility and management of SaaS and OAuth apps in the Defender XDR portal.
- Attack Surface Map: Visualizes organizational connections to OAuth apps, including app owners and permission levels.
- Advanced Hunting: All Exposure Management data is queryable in Advanced Hunting under the OAuthAppInfo table, offering detailed metadata and insights.
🔗 Reference: Microsoft Security Blog
You Should Know:
1. Monitoring OAuth Apps via PowerShell
Check registered OAuth apps in Azure AD:
Get-AzureADApplication | Select-Object DisplayName, AppId, PublisherDomain | Format-Table
2. Review OAuth Permissions
List delegated and application permissions:
Get-AzureADServicePrincipal -All $true | Where-Object { $<em>.Tags -contains "WindowsAzureActiveDirectoryIntegratedApp" } |
ForEach-Object {
$app = $</em>
Get-AzureADServiceAppRoleAssignment -ObjectId $app.ObjectId |
Select-Object ResourceDisplayName, PrincipalDisplayName, Id
}
3. Hunt Malicious OAuth Apps via KQL
Query suspicious OAuth activity in Defender Advanced Hunting:
[kql]
OAuthAppInfo
| where Permissions has “mail.read” or Permissions has “files.readwrite”
| project AppName, Publisher, Permissions, CreatedDateTime
[/kql]
4. Revoke Suspicious OAuth Grants
<h1>List all OAuth grants</h1> Get-AzureADOAuth2PermissionGrant | Select-Object ClientId, ConsentType, Scope <h1>Revoke a specific grant</h1> Remove-AzureADOAuth2PermissionGrant -ObjectId <GrantId>
5. Linux/Mac: Audit OAuth via Azure CLI
az ad app list --query "[].{Name:displayName, AppId:appId}" --output table
6. Detect Anomalous OAuth Activity
[kql]
OAuthAppInfo
| where CreatedDateTime > ago(7d)
| summarize Count = count() by AppName
| where Count > 5 // Threshold for new apps
[/kql]
What Undercode Say
OAuth apps are a prime target for attackers due to their permissions. Defender XDR’s integration allows proactive monitoring, but admins must:
– Regularly audit permissions with Get-AzureADServicePrincipal.
– Use KQL to hunt for unusual app creations or consent grants.
– Enforce least privilege via Conditional Access policies.
– Automate revocation of unused apps with PowerShell scripts.
– Cross-check app publishers via Get-AzureADApplication -Filter "DisplayName eq 'SuspiciousApp'".
Expected Output:
- Defender XDR’s OAuthAppInfo table for granular hunting.
- Attack path maps to trace lateral movement risks.
- Automated scripts to audit and revoke excessive permissions.
🔗 Explore More: Microsoft Security Blog
References:
Reported By: Markolauren Oauth – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
