LoFP / service principal client credential modifications may be part of legitimate administrative operations. filter as needed.

Techniques

• T1098
• T1098.001

Sample rules

Azure AD Service Principal New Client Credentials

• source: splunk
• technicques:
  • T1098
  • T1098.001

Description

The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the “Update application*Certificates and secrets management” operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.

Detection logic

`azure_monitor_aad`  category=AuditLogs operationName="Update application*Certificates and secrets management " 
| rename properties.* as * 
| rename  targetResources{}.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_service_principal_new_client_credentials_filter`

O365 Service Principal New Client Credentials

• source: splunk
• technicques:
  • T1098
  • T1098.001

Description

The following analytic detects the addition of new credentials for Service Principals within an Office 365 tenant. It uses O365 audit logs, focusing on events related to credential modifications or additions in the AzureActiveDirectory workload. This activity is significant because Service Principals represent application identities, and their credentials allow applications to authenticate and access resources. If an attacker successfully adds or modifies these credentials, they can impersonate the application, leading to unauthorized data access, data exfiltration, or malicious operations under the application’s identity.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management " 
|  stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_service_principal_new_client_credentials_filter`