Techniques
Sample rules
Azure AD Service Principal Owner Added
- source: splunk
- technicques:
- T1098
Description
The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.
Detection logic
`azure_monitor_aad` operationName="Add owner to application"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.userPrincipalName as newOwner
| rename targetResources{}.modifiedProperties{}.newValue as displayName
| eval displayName = mvindex(displayName,1)
| where initiatedBy!=newOwner
| stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_owner_added_filter`