-
Notifications
You must be signed in to change notification settings - Fork 678
[Rule Tuning] Tuning Azure Service Principal Credentials Added
#4570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
terrancedejesus
merged 10 commits into
main
from
tuning-microsoft-entra-service-principal-credentials-added
Apr 16, 2025
Merged
Changes from 2 commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
d277e21
tuning 'Azure Service Principal Credentials Added'
terrancedejesus 040892b
updated patch version
terrancedejesus ea9507d
Merge branch 'main' into tuning-microsoft-entra-service-principal-cre…
terrancedejesus 5f0950a
Merge branch 'main' into tuning-microsoft-entra-service-principal-cre…
terrancedejesus 8eda15c
Merge branch 'main' into tuning-microsoft-entra-service-principal-cre…
terrancedejesus 5d3567b
added investigation guide
terrancedejesus a761062
Merge branch 'main' into tuning-microsoft-entra-service-principal-cre…
terrancedejesus 779c40e
updating patch version
terrancedejesus d8cfbd0
updating patch version
terrancedejesus b7248c2
Merge branch 'main' into tuning-microsoft-entra-service-principal-cre…
terrancedejesus File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
62 changes: 62 additions & 0 deletions
62
hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| # Microsoft Entra ID Credentials Added to Rare Service Principal | ||
|
|
||
| --- | ||
|
|
||
| ## Metadata | ||
|
|
||
| - **Author:** Elastic | ||
| - **Description:** This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers. | ||
| - **UUID:** `d2dd0288-0a8c-11f0-b738-f661ea17fbcc` | ||
| - **Integration:** [azure](https://docs.elastic.co/integrations/azure) | ||
| - **Language:** `[ES|QL]` | ||
| - **Source File:** [Microsoft Entra ID Credentials Added to Rare Service Principal](../queries/entra_service_principal_credentials_added_to_rare_app.toml) | ||
|
|
||
| ## Query | ||
|
|
||
| ```sql | ||
| FROM logs-azure.auditlogs* | ||
| | WHERE | ||
| // filter on Microsoft Entra Audit Logs | ||
| // filter for service principal credentials being added | ||
| event.dataset == "azure.auditlogs" | ||
| and azure.auditlogs.operation_name == "Add service principal credentials" | ||
| and event.outcome == "success" | ||
| | EVAL | ||
| // SLICE n0 of requests values for specific Client App ID | ||
| // Cast Client App ID to STRING type | ||
| azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING | ||
| | WHERE | ||
| // REGEX on Client APP ID for UUIDv4 | ||
| azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}""" | ||
| | EVAL | ||
| // BUCKET events weekly | ||
| timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp) | ||
| | STATS | ||
| // Aggregate weekly occurrences by Client App ID, User ID | ||
| weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY | ||
| azure.auditlogs.properties.additional_details.appId, | ||
| azure.auditlogs.properties.initiated_by.user.id | ||
| | WHERE weekly_user_app_occurrence_count == 1 | ||
| ``` | ||
|
|
||
| ## Notes | ||
|
|
||
| - This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id` | ||
| - Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application. | ||
| - The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events. | ||
| - The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account. | ||
| - Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value. | ||
| - Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment. | ||
|
|
||
| ## MITRE ATT&CK Techniques | ||
|
|
||
| - [T1098.001](https://attack.mitre.org/techniques/T1098/001) | ||
|
|
||
| ## References | ||
|
|
||
| - https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 | ||
| - https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/ | ||
|
|
||
| ## License | ||
|
|
||
| - `Elastic License v2` |
48 changes: 48 additions & 0 deletions
48
hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| [hunt] | ||
| author = "Elastic" | ||
| description = """This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers. """ | ||
| integration = ["azure"] | ||
| uuid = "d2dd0288-0a8c-11f0-b738-f661ea17fbcc" | ||
| name = "Microsoft Entra ID Credentials Added to Rare Service Principal" | ||
| language = ["ES|QL"] | ||
| license = "Elastic License v2" | ||
| notes = [ | ||
| "This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id`", | ||
| "Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application.", | ||
| "The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events.", | ||
| "The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account.", | ||
| "Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value.", | ||
| "Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment." | ||
| ] | ||
| mitre = ['T1098.001'] | ||
| references = [ | ||
| "https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", | ||
| "https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/" | ||
| ] | ||
| query = [ | ||
| ''' | ||
| FROM logs-azure.auditlogs* | ||
| | WHERE | ||
| // filter on Microsoft Entra Audit Logs | ||
| // filter for service principal credentials being added | ||
| event.dataset == "azure.auditlogs" | ||
| and azure.auditlogs.operation_name == "Add service principal credentials" | ||
| and event.outcome == "success" | ||
| | EVAL | ||
| // SLICE n0 of requests values for specific Client App ID | ||
| // Cast Client App ID to STRING type | ||
| azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING | ||
| | WHERE | ||
| // REGEX on Client APP ID for UUIDv4 | ||
| azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}""" | ||
| | EVAL | ||
| // BUCKET events weekly | ||
| timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp) | ||
| | STATS | ||
| // Aggregate weekly occurrences by Client App ID, User ID | ||
| weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY | ||
| azure.auditlogs.properties.additional_details.appId, | ||
| azure.auditlogs.properties.initiated_by.user.id | ||
| | WHERE weekly_user_app_occurrence_count == 1 | ||
| ''' | ||
| ] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
92 changes: 0 additions & 92 deletions
92
rules/integrations/azure/impact_azure_service_principal_credentials_added.toml
This file was deleted.
Oops, something went wrong.
84 changes: 84 additions & 0 deletions
84
rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| [metadata] | ||
| creation_date = "2021/05/05" | ||
| integration = ["azure"] | ||
| maturity = "production" | ||
| updated_date = "2025/03/26" | ||
|
|
||
| [rule] | ||
| author = ["Elastic", "Austin Songer"] | ||
| description = """ | ||
| Identifies when new Service Principal credentials have been added in Microsoft Entra ID. In most organizations, | ||
| credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or | ||
| certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA | ||
| requirements. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Service principal credential additions may be done by a system or network administrator. Verify whether the | ||
| username, hostname, and/or resource name should be making changes in your environment. Credential additions from | ||
| unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted | ||
| from the rule. | ||
| """, | ||
| ] | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-azure*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Microsoft Entra ID Service Principal Credentials Added by Rare User" | ||
| note = "" | ||
|
terrancedejesus marked this conversation as resolved.
Outdated
|
||
| references = [ | ||
| "https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452", | ||
| "https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Data Source: Azure", | ||
| "Data Source: Microsoft Entra ID", | ||
| "Data Source: Microsoft Entra ID Audit Logs", | ||
| "Use Case: Identity and Access Audit", | ||
| "Tactic: Persistence", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "new_terms" | ||
|
|
||
| query = ''' | ||
| event.dataset: "azure.auditlogs" | ||
| and azure.auditlogs.operation_name:"Add service principal credentials" | ||
| and event.outcome: "success" | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1098.001" | ||
| name = "Additional Cloud Credentials" | ||
| reference = "https://attack.mitre.org/techniques/T1098/001/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
|
|
||
| [rule.new_terms] | ||
| field = "new_terms_fields" | ||
| value = [ | ||
| "azure.auditlogs.properties.target_resources.0.display_name", | ||
| "azure.auditlogs.properties.initiated_by.user.id", | ||
| ] | ||
| [[rule.new_terms.history_window_start]] | ||
| field = "history_window_start" | ||
| value = "now-10d" | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.