Techniques
Sample rules
O365 Admin Consent Bypassed by Service Principal
- source: splunk
- technicques:
- T1098.003
Description
The following analytic identifies instances where a service principal in Office 365 Azure Active Directory assigns app roles without standard admin consent. It leverages o365_management_activity logs, specifically focusing on the ‘Add app role assignment to service principal’ operation. This activity is significant for SOCs as it may indicate a bypass of critical administrative controls, potentially leading to unauthorized access or privilege escalation. If confirmed malicious, this could allow an attacker to misuse automated processes to assign sensitive permissions, compromising the security of the environment.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal."
| eval len=mvcount('Actor{}.ID')
| eval userType = mvindex('Actor{}.ID',len-1)
| eval roleId = mvindex('ModifiedProperties{}.NewValue', 0)
| eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1)
| eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2)
| eval dest_user = mvindex('Target{}.ID', 0)
| search userType = "ServicePrincipal"
| eval src_user = user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_admin_consent_bypassed_by_service_principal_filter`
Azure AD Admin Consent Bypassed by Service Principal
- source: splunk
- technicques:
- T1098.003
Description
The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the azure_monitor_aad data source, focusing on the “Add app role assignment to service principal” operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.
Detection logic
`azure_monitor_aad` (operationName="Add app role assignment to service principal" OR operationName="Add member to role*") src_user_type=servicePrincipal
| rename properties.* as *
| eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0)
| eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1)
| eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2)
| eval user_id = mvindex('targetResources{}.id', 0), user=coalesce(user,mvindex('targetResources{}.displayName', 0))
| rename initiatedBy.app.displayName as src_user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user user user_id roleId roleValue roleDescription
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_admin_consent_bypassed_by_service_principal_filter`