UserA added credentials to an application after UserB granted admin consent, indicating potential credential stuffing or lateral movement by the Nobelium group. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat activities that leverage admin consent for unauthorized access.
KQL Query
CloudAppEvents
| where Application == "Office 365"
| where ActionType == "Consent to application."
| where RawEventData.ModifiedProperties[0].Name == "ConsentContext.IsAdminConsent" and RawEventData.ModifiedProperties[0].NewValue == "True"
| extend spnID = tostring(RawEventData.Target[3].ID)
| parse RawEventData.ModifiedProperties[4].NewValue with * "=> [[" dummpy "Scope: " After "]]" *
| extend PermissionsGranted = split(After, "]",0)
| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
| join (
CloudAppEvents
| where Application == "Office 365"
| where ActionType == "Add service principal credentials." or ActionType == "Update application - Certificates and secrets management "
| extend spnID = tostring(RawEventData.Target[3].ID)
| project AddSecretTime = Timestamp, AccountDisplayName , spnID
) on spnID
| where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1
id: 0d49b34e-ac5a-441f-a79f-672ad045870e
name: CredentialsAddAfterAdminConsentedToApp[Nobelium]
description: |
Credentials were added to an application by UserA, after the application was granted admin consent rights by UserB
The Nobelium activity group has been observed adding credentials (x509 keys or password credentials) for one or more legitimate OAuth Applications or Service Principals, usually with existing Mail.Read or Mail.ReadWrite permissions, which grants the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples include mail archiving applications.
See Customer Guidance on Recent Nation-State Cyber Attacks for more on the Nobelium campaign (formerly known as Solorigate).
See Grant tenant-wide admin consent to an application for how to add admin consent to an application.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://docs.microsoft.com/azure/active-directory/manage-apps/grant-admin-consent
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Persistence
tags:
- Nobelium
query: |
CloudAppEvents
| where Application == "Office 365"
| where ActionType == "Consent to application."
| where RawEventData.ModifiedProperties[0].Name == "ConsentContext.IsAdminConsent" and RawEventData.ModifiedProperties[0].NewValue == "True"
| extend spnID = tostring(RawEventData.Target[3].ID)
| parse RawEventData.ModifiedProperties[4].NewValue with * "=> [[" dummpy "Scope: " After "]]" *
| extend PermissionsGranted = split(After, "]",0)
| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
| join (
CloudAppEvents
| where Application == "Office 365"
| where ActionType == "Add service principal credentials." or ActionType == "Update application - Certificates and secrets management "
| extend spnID = tostring(RawEventData.Target[3].ID)
| project AddSecretTime = Timestamp, AccountDisplayName , spnID
) on spnID
| where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: UserB (IT Admin) grants admin consent to a legitimate SaaS application (e.g., Microsoft 365) via Azure AD, which is a standard administrative task.
Filter/Exclusion: Exclude activities related to known legitimate SaaS applications (e.g., applicationName = "Microsoft 365") or check for userPrincipalName matching IT admin accounts.
Scenario: A scheduled job (e.g., SQL Server Agent Job) runs under a service account and adds credentials to a database (e.g., SQL Server) for automated backups or reporting.
Filter/Exclusion: Exclude activities where the userPrincipalName matches service accounts (e.g., [email protected]) or filter by processName matching known job execution tools.
Scenario: A developer (UserB) grants admin consent to a development tool (e.g., Postman) for testing purposes, and later a developer (UserA) adds credentials to the tool for local testing.
Filter/Exclusion: Exclude activities involving development tools (e.g., applicationName = "Postman") or filter by userRole such as Developer.
Scenario: A system administrator (UserB) grants admin consent to a monitoring tool (e.g., Splunk) for log collection, and a separate user (UserA) adds credentials to the tool for configuration.
Filter/Exclusion: Exclude activities related to monitoring tools (e.g., applicationName = "Splunk") or check for userRole such as System Admin.
Scenario: A user (UserB) grants admin consent to a third-party application (e.g., Okta) for identity management, and a different user (UserA) adds credentials to the application for integration with internal systems.
Filter/Exclusion: Exclude activities involving identity