Techniques
Sample rules
Azure AD Admin Consent Bypassed by Service Principal
- source: splunk
- technicques:
- T1098.003
Description
This detection focuses on identifying instances in Azure Active Directory where a service principal assigns app roles without standard admin consent, using Entra ID logs. It operates on the azure_monitor_aad data source, scrutinizing the “Add app role assignment to service principal” operation, specifically from service principals. The query dissects details such as role ID, value, and description, important for understanding the nature of the roles being assigned. Monitoring this in a SOC is critical as it flags potential bypasses of vital administrative consent processes in Azure AD, which could result in unauthorized privileges being granted. A true positive detection suggests that a service principal may be exploiting automation to assign sensitive permissions without proper oversight.
Detection logic
`azure_monitor_aad` operationName="Add app role assignment to service principal" src_user_type=servicePrincipal
| rename properties.* as *
| eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue', 0)
| eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue', 1)
| eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue', 2)
| eval dest_user = mvindex('targetResources{}.id', 0)
| rename initiatedBy.app.displayName as src_user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_admin_consent_bypassed_by_service_principal_filter`
O365 Admin Consent Bypassed by Service Principal
- source: splunk
- technicques:
- T1098.003
Description
This detection targets situations where a service principal in Office 365 Azure Active Directory assigns app roles without the standard admin consent, a potential security breach. Using o365_management_activity logs, it examines the ‘Add app role assignment to service principal’ operation, focusing on service principals and extracting details like role ID and description. This is critical for SOCs to detect potential bypassing of crucial administrative controls, which could lead to unauthorized access or privilege escalation. A true positive implies a service principal might be misusing automated processes to assign sensitive permissions.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment to service principal."
| eval len=mvcount('Actor{}.ID')
| eval userType = mvindex('Actor{}.ID',len-1)
| eval roleId = mvindex('ModifiedProperties{}.NewValue', 0)
| eval roleValue = mvindex('ModifiedProperties{}.NewValue', 1)
| eval roleDescription = mvindex('ModifiedProperties{}.NewValue', 2)
| eval dest_user = mvindex('Target{}.ID', 0)
| search userType = "ServicePrincipal"
| eval src_user = user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by src_user dest_user roleId roleValue roleDescription
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_admin_consent_bypassed_by_service_principal_filter`