Techniques
Sample rules
Azure AD Service Principal Owner Added
- source: splunk
- technicques:
- T1098
Description
The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner.
Detection logic
`azure_monitor_aad` operationName="Add owner to application"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.userPrincipalName as newOwner
| rename targetResources{}.modifiedProperties{}.newValue as displayName
| eval displayName = mvindex(displayName,1)
| where initiatedBy!=newOwner
| stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, newOwner
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_owner_added_filter`