LoFP / the creation of a new federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.

Techniques

• T1136
• T1136.003

Sample rules

O365 Added Service Principal

• source: splunk
• technicques:
  • T1136.003
  • T1136

Description

The following analytic detects the addition of new service principal accounts in O365 tenants. It leverages data from the o365_management_activity dataset, specifically monitoring for operations related to adding or creating service principals. This activity is significant because attackers can exploit service principals to gain unauthorized access and perform malicious actions within an organization’s environment. If confirmed malicious, this could allow attackers to interact with APIs, access resources, and execute operations on behalf of the organization, potentially leading to data breaches or further compromise.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory Operation="*Add service principal*" OR (Operation = "*principal*" AND action = "created") 
| stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_added_service_principal_filter`