This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ClientId = "ID-of-your-app" | |
$TenantId = "ID-of-your-tenant" | |
$ClientSecret = "Secret-of-your-app” | |
# Convert the client secret to a secure string | |
$ClientSecretPass = ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force | |
# Create a credential object using the client ID and secure string | |
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ClientId, $ClientSecretPass | |
# Connect to Graph | |
Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $ClientSecretCredential |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Log source | Indicator | |
---|---|---|
AADServicePrincipalSignInLogs | ServicePrincipalName == name-of-abused-SP | |
AADServicePrincipalSignInLogs | AppId == ID-of-abused-app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Module | Log Source | Indicator | |
---|---|---|---|
Get-GraphToken | Entra ID SignInLogs | AuthenticationProtocol == deviceCode | |
Get-GraphToken | Entra ID SignInLogs | ResourceDisplayName == Microsoft Graph | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/search/query | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/ | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{ID} | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/organization | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppID}')/appRoleAssignedTo | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Module | Detection | Source | |
---|---|---|---|
Get-GraphTokens | Yes | Unified Audit Log & Sign-In Logs | |
Invoke-RefreshGraphTokens | No | n/a | |
Get-AzureAppTokens | Yes | Sign-In Logs | |
Invoke-RefreshAzureAppTokens | No | n/a | |
Invoke-AutoTokenRefresh | No | n/a | |
Invoke-GraphRecon | Yes | MicrosoftGraphActivityLogs | |
Invoke-GraphRunner | Yes | MicrosoftGraphActivityLogs | |
Invoke-DumpCAPS | No | n/a | |
Invoke-DumpApps | Yes | MicrosoftGraphActivityLogs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Log source | Indicator | |
---|---|---|
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/ | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{Id} | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/organization | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppId}')/appRoleAssignedTo | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals/{Id} | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token} | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Log source | Indicator | |
---|---|---|
SignInLogs | AuthenticationProtocol == deviceCode | |
SignInLogs | ResourceDisplayName == Microsoft Graph |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Log source | Evidence | |
---|---|---|
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref | |
Entra ID Audit Log | Add member to group | |
Unified Audit Log | Add member to group. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Log source | Indicator | |
---|---|---|
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/invitations | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/organization | |
Entra ID Audit Log | Invite external user | |
Entra ID Audit Log | Add user |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Log source | Indicator | |
---|---|---|
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{ID}/members | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true | |
MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/me | |
Entra ID Audit Log | Add member to group | |
Entra ID Audit Log | Add group |
NewerOlder