Techniques
Sample rules
Azure AD Privileged Role Assigned to Service Principal
- source: splunk
- technicques:
- T1098
- T1098.003
Description
The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.
Detection logic
`azure_monitor_aad` operationName="Add member to role"
| rename properties.* as *
| search "targetResources{}.type"=ServicePrincipal
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.modifiedProperties{}.newValue as roles
| eval role=mvindex(roles,1)
| rename targetResources{}.displayName as apps
| eval displayName=mvindex(apps,0)
| stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by initiatedBy, result, operationName, role
| lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description
| search isprvilegedadrole = True
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_privileged_role_assigned_to_service_principal_filter`
O365 Privileged Role Assigned To Service Principal
- source: splunk
- technicques:
- T1098
- T1098.003
Description
The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.")
| eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2)
| stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature
| lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole
| search isprvilegedadrole="TRUE" category!="User"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_privileged_role_assigned_to_service_principal_filter`