LoFP / service principal client credential modifications may be part of legitimate administrative operations. filter as needed.

Techniques

• T1098
• T1098.001

Sample rules

Azure AD Service Principal New Client Credentials

• source: splunk
• technicques:
  • T1098
  • T1098.001

Description

The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal.

Detection logic

 `azure_monitor_aad`  category=AuditLogs operationName="Update application*Certificates and secrets management " 
| rename properties.* as * 
| rename  targetResources{}.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by user, modifiedProperties{}.newValue, src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_service_principal_new_client_credentials_filter`

O365 Service Principal New Client Credentials

• source: splunk
• technicques:
  • T1098
  • T1098.001

Description

The following analytic identifies the addition of new credentials for Service Principals in addition to existing legitimate credentials within a Office 365 tenant. These credentials include both x509 certificates and passwords. It leverages O365 audit logs, specifically events related to credential modifications or additions within the AzureActiveDirectory workload for service principals. Service principals represent application identities in Office 365 / AzureAD, and their credentials allow applications to authenticate and access resources. Adding new credentials or modifying existing ones can be an indication of configuration changes, but it can also be a sign of malicious intent If an attacker successfully adds or modifies credentials for a service principal, they can potentially use those credentials to authenticate as the application, gaining access to resources and data the application is permitted to access. This can lead to unauthorized data access, data exfiltration, or malicious operations performed under the guise of the application

Detection logic

 `o365_management_activity` Workload=AzureActiveDirectory Operation="Update application*Certificates and secrets management " 
|  stats earliest(_time) as firstTime latest(_time) as lastTime by user ModifiedProperties{}.NewValue object ObjectId 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_service_principal_new_client_credentials_filter`