Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion detection_rules/etc/non-ecs-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,8 @@
},
"logs-azure.signinlogs-*": {
"azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword",
"azure.signinlogs.properties.original_transfer_method": "keyword"
Comment thread
terrancedejesus marked this conversation as resolved.
Outdated
"azure.signinlogs.properties.original_transfer_method": "keyword",
"azure.auditlogs.properties.target_resources.0.display_name": "keyword"
},
"logs-azure.activitylogs-*": {
"azure.activitylogs.properties.authentication_protocol": "keyword",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Microsoft Entra ID Credentials Added to Rare Service Principal

---

## Metadata

- **Author:** Elastic
- **Description:** This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers.
- **UUID:** `d2dd0288-0a8c-11f0-b738-f661ea17fbcc`
- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
- **Language:** `[ES|QL]`
- **Source File:** [Microsoft Entra ID Credentials Added to Rare Service Principal](../queries/entra_service_principal_credentials_added_to_rare_app.toml)

## Query

```sql
FROM logs-azure.auditlogs*
| WHERE
// filter on Microsoft Entra Audit Logs
// filter for service principal credentials being added
event.dataset == "azure.auditlogs"
and azure.auditlogs.operation_name == "Add service principal credentials"
and event.outcome == "success"
| EVAL
// SLICE n0 of requests values for specific Client App ID
// Cast Client App ID to STRING type
azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING
| WHERE
// REGEX on Client APP ID for UUIDv4
azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"""
| EVAL
// BUCKET events weekly
timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp)
| STATS
// Aggregate weekly occurrences by Client App ID, User ID
weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY
azure.auditlogs.properties.additional_details.appId,
azure.auditlogs.properties.initiated_by.user.id
| WHERE weekly_user_app_occurrence_count == 1
```

## Notes

- This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id`
- Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application.
- The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events.
- The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account.
- Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value.
- Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment.

## MITRE ATT&CK Techniques

- [T1098.001](https://attack.mitre.org/techniques/T1098/001)

## References

- https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
- https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/

## License

- `Elastic License v2`
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
[hunt]
author = "Elastic"
description = """This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers. """
integration = ["azure"]
uuid = "d2dd0288-0a8c-11f0-b738-f661ea17fbcc"
name = "Microsoft Entra ID Credentials Added to Rare Service Principal"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id`",
"Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application.",
"The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events.",
"The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account.",
"Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value.",
"Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment."
]
mitre = ['T1098.001']
references = [
"https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452",
"https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/"
]
query = [
'''
FROM logs-azure.auditlogs*
| WHERE
// filter on Microsoft Entra Audit Logs
// filter for service principal credentials being added
event.dataset == "azure.auditlogs"
and azure.auditlogs.operation_name == "Add service principal credentials"
and event.outcome == "success"
| EVAL
// SLICE n0 of requests values for specific Client App ID
// Cast Client App ID to STRING type
azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING
| WHERE
// REGEX on Client APP ID for UUIDv4
azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"""
| EVAL
// BUCKET events weekly
timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp)
| STATS
// Aggregate weekly occurrences by Client App ID, User ID
weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY
azure.auditlogs.properties.additional_details.appId,
azure.auditlogs.properties.initiated_by.user.id
| WHERE weekly_user_app_occurrence_count == 1
'''
]
1 change: 1 addition & 0 deletions hunting/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Here are the queries currently available:
- [Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins](./azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md) (ES|QL)
- [Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users](./azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md) (ES|QL)
- [Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents](./azure/docs/entra_authentication_attempts_behind_rare_user_agents.md) (ES|QL)
- [Microsoft Entra ID Credentials Added to Rare Service Principal](./azure/docs/entra_service_principal_credentials_added_to_rare_app.md) (ES|QL)


## linux
Expand Down
5 changes: 5 additions & 0 deletions hunting/index.yml
Original file line number Diff line number Diff line change
Expand Up @@ -687,3 +687,8 @@ azure:
mitre:
- T1078.004
- T1110.003
d2dd0288-0a8c-11f0-b738-f661ea17fbcc:
name: Microsoft Entra ID Credentials Added to Rare Service Principal
path: ./azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
mitre:
- T1098.001
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.0.2"
version = "1.0.3"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
[metadata]
creation_date = "2021/05/05"
integration = ["azure"]
maturity = "production"
updated_date = "2025/03/26"

[rule]
author = ["Elastic", "Austin Songer"]
description = """
Identifies when new Service Principal credentials have been added in Microsoft Entra ID. In most organizations,
credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or
certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA
requirements.
"""
false_positives = [
"""
Service principal credential additions may be done by a system or network administrator. Verify whether the
username, hostname, and/or resource name should be making changes in your environment. Credential additions from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
from = "now-9m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft Entra ID Service Principal Credentials Added by Rare User"
note = ""
Comment thread
terrancedejesus marked this conversation as resolved.
Outdated
references = [
"https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452",
"https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/",
]
risk_score = 47
rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Audit Logs",
"Use Case: Identity and Access Audit",
"Tactic: Persistence",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset: "azure.auditlogs"
and azure.auditlogs.operation_name:"Add service principal credentials"
and event.outcome: "success"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.001"
name = "Additional Cloud Credentials"
reference = "https://attack.mitre.org/techniques/T1098/001/"



[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[rule.new_terms]
field = "new_terms_fields"
value = [
"azure.auditlogs.properties.target_resources.0.display_name",
"azure.auditlogs.properties.initiated_by.user.id",
]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"