npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
Overview
Azure service principals are identity objects used by applications, services, and automation tools to access Azure resources. Attackers exploit service principals for privilege escalation, lateral movement, and persistent access. Key abuse patterns include: adding credentials to existing principals, assigning privileged roles, bypassing admin consent, and enumerating service principals for attack paths. Application ownership grants the ability to manage credentials and configure permissions, creating hidden privilege escalation paths.
When to Use
- When investigating security incidents that require detecting azure service principal abuse
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Azure subscription with Microsoft Entra ID P2 license
- Access to Azure AD Audit Logs and Sign-in Logs
- Microsoft Sentinel or Splunk for SIEM-based detection
- Microsoft Graph API permissions for investigation
- Global Reader or Security Reader role minimum
Key Abuse Patterns
1. New Credentials Added to Service Principal
Attackers add new client secrets or certificates to gain persistent access:
Detection Query (KQL - Sentinel):
AuditLogs
| where OperationName has "Add service principal credentials"
or OperationName has "Update application - Certificates and secrets management"
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend TargetSPId = tostring(TargetResources[0].id)
| project TimeGenerated, InitiatedBy, OperationName, TargetSP, TargetSPId
| sort by TimeGenerated descDetection Query (SPL - Splunk):
index=azure sourcetype="azure:aad:audit"
operationName="Add service principal credentials"
OR operationName="Update application*Certificates and secrets*"
| stats count by initiatedBy.user.userPrincipalName, targetResources{}.displayName, _time
| sort -_time2. Privileged Role Assignment to Service Principal
AuditLogs
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where RoleName has_any ("Global Administrator", "Application Administrator",
"Privileged Role Administrator", "Cloud Application Administrator")
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, TargetSP, RoleName, OperationName3. Service Principal Enumeration Detection
MicrosoftGraphActivityLogs
| where RequestMethod == "GET"
| where RequestUri has "/servicePrincipals"
| summarize RequestCount = count() by UserAgent, IPAddress, bin(TimeGenerated, 1h)
| where RequestCount > 10
| sort by RequestCount desc4. Admin Consent Bypass
AuditLogs
| where OperationName == "Consent to application"
| extend ConsentType = tostring(TargetResources[0].modifiedProperties[4].newValue)
| where ConsentType has "AllPrincipals"
| extend AppName = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, AppName, ConsentType5. OAuth App Permissions Escalation
AuditLogs
| where OperationName == "Add app role assignment to service principal"
| extend AppRoleValue = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where AppRoleValue has_any ("RoleManagement.ReadWrite.Directory",
"Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All",
"Directory.ReadWrite.All", "Mail.ReadWrite")
| extend TargetApp = tostring(TargetResources[0].displayName)
| project TimeGenerated, TargetApp, AppRoleValue, CorrelationIdInvestigation Procedures
Step 1: Identify compromised service principal
# List service principals with recently added credentials
Connect-MgGraph -Scopes "Application.Read.All"
$suspiciousSPs = Get-MgServicePrincipal -All | ForEach-Object {
$sp = $_
$creds = Get-MgServicePrincipalPasswordCredential -ServicePrincipalId $sp.Id
$recentCreds = $creds | Where-Object { $_.StartDateTime -gt (Get-Date).AddDays(-7) }
if ($recentCreds) {
[PSCustomObject]@{
DisplayName = $sp.DisplayName
AppId = $sp.AppId
ObjectId = $sp.Id
NewCredsCount = $recentCreds.Count
LatestCredAdded = ($recentCreds | Sort-Object StartDateTime -Descending | Select-Object -First 1).StartDateTime
}
}
}
$suspiciousSPs | Sort-Object LatestCredAdded -DescendingStep 2: Review service principal role assignments
# Check role assignments for a specific service principal
$spId = "<service-principal-object-id>"
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spId | ForEach-Object {
$resource = Get-MgServicePrincipal -ServicePrincipalId $_.ResourceId
[PSCustomObject]@{
AppRoleId = $_.AppRoleId
ResourceDisplayName = $resource.DisplayName
CreatedDateTime = $_.CreatedDateTime
}
}Step 3: Check application ownership
# List owners of all applications (ownership = credential control)
Get-MgApplication -All | ForEach-Object {
$app = $_
$owners = Get-MgApplicationOwner -ApplicationId $app.Id
foreach ($owner in $owners) {
[PSCustomObject]@{
AppName = $app.DisplayName
AppId = $app.AppId
OwnerUPN = $owner.AdditionalProperties.userPrincipalName
OwnerType = $owner.AdditionalProperties.'@odata.type'
}
}
} | Where-Object { $_.OwnerUPN -ne $null }Step 4: Review sign-in activity
AADServicePrincipalSignInLogs
| where ServicePrincipalId == "<target-sp-id>"
| project TimeGenerated, ServicePrincipalName, IPAddress, Location,
ResourceDisplayName, Status.errorCode
| sort by TimeGenerated descPreventive Controls
Restrict application registration
# Disable user ability to register applications
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
AllowedToCreateApps = $false
}Configure app consent policies
# Require admin approval for all app consent requests
New-MgPolicyPermissionGrantPolicy -Id "admin-only-consent" `
-DisplayName "Admin Only Consent" `
-Description "Only admins can consent to applications"Monitor with Microsoft Sentinel Analytics Rules
Create analytics rules for:
- New service principal credential additions
- Privileged role assignments to service principals
- Bulk service principal enumeration
- Admin consent grants to unknown applications
- Service principal sign-ins from unusual locations
MITRE ATT&CK Mapping
| Technique | ID | Description |
|---|---|---|
| Account Manipulation: Additional Cloud Credentials | T1098.001 | Adding credentials to service principal |
| Valid Accounts: Cloud Accounts | T1078.004 | Using compromised service principal |
| Account Discovery: Cloud Account | T1087.004 | Enumerating service principals |
| Steal Application Access Token | T1528 | OAuth token theft via service principal |
References
- Splunk Detection: Azure AD Service Principal Abuse
- Semperis: Service Principal Ownership Abuse in Entra ID
- MITRE ATT&CK Cloud Matrix
- Microsoft: Securing service principals in Entra ID
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md2.4 KB
Azure Service Principal Abuse Detection — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| azure-identity | pip install azure-identity |
Azure AD authentication |
| requests | pip install requests |
Microsoft Graph API client |
Microsoft Graph API Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /v1.0/servicePrincipals |
List service principals |
| GET | /v1.0/servicePrincipals/{id} |
Get SP details and credentials |
| GET | /v1.0/servicePrincipals/{id}/appRoleAssignments |
SP role assignments |
| GET | /v1.0/directoryRoles |
List directory roles |
| GET | /v1.0/directoryRoles/{id}/members |
Role members (includes SPs) |
| GET | /v1.0/auditLogs/signIns |
Sign-in logs for SP activity |
| GET | /v1.0/auditLogs/directoryAudits |
Directory change audit logs |
OAuth2 Token Endpoint
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=client_credentials
scope=https://graph.microsoft.com/.defaultHigh-Privilege Directory Roles
| Role | Risk |
|---|---|
| Global Administrator | Full tenant control |
| Application Administrator | Can create/manage all apps |
| Cloud Application Administrator | Manage cloud app registrations |
| Privileged Role Administrator | Manage role assignments |
Service Principal Abuse Indicators
| Indicator | Description | Severity |
|---|---|---|
| Multiple password credentials | Possible backdoor persistence | HIGH |
| Expired credentials not removed | Credential hygiene gap | MEDIUM |
| SP with Global Admin role | Overprivileged automation | CRITICAL |
| Unusual sign-in location | Compromised SP credentials | HIGH |
| New credential added to SP | Persistence via credential injection | CRITICAL |
MITRE ATT&CK Mapping
| Technique | ID | Description |
|---|---|---|
| Account Manipulation | T1098 | Add credentials to SP |
| Valid Accounts: Cloud | T1078.004 | Abuse SP credentials |
| Trusted Relationship | T1199 | Abuse multi-tenant SP trust |
External References
standards.md0.9 KB
Standards - Detecting Azure Service Principal Abuse
MITRE ATT&CK Techniques
- T1098.001: Account Manipulation - Additional Cloud Credentials
- T1078.004: Valid Accounts - Cloud Accounts
- T1087.004: Account Discovery - Cloud Account
- T1528: Steal Application Access Token
- T1550.001: Use Alternate Authentication Material - Application Access Token
CIS Microsoft Azure Foundations Benchmark v2.1
- 1.11: Ensure that multi-factor authentication is enabled for all privileged users
- 1.14: Ensure that guest users are reviewed on a regular basis
- 1.15: Ensure that User consent for applications is set to Do not allow user consent
Microsoft Secure Score Recommendations
- Require admin approval for unmanaged applications
- Remove unused application permissions
- Limit service principal credential lifetime
- Implement Conditional Access for workload identities
workflows.md0.9 KB
Workflows - Detecting Azure Service Principal Abuse
Detection Workflow
1. Log Collection → Ingest Azure AD Audit + Sign-in logs to SIEM
2. Rule Activation → Enable detection analytics for SP abuse patterns
3. Alert Triage → Validate alerts against known automation accounts
4. Investigation → Correlate credential changes with sign-in anomalies
5. Containment → Disable compromised SP, rotate credentials
6. Remediation → Remove unauthorized permissions, review ownershipInvestigation Workflow
1. Identify affected service principal (name, object ID, app ID)
2. Review recent credential changes (new secrets/certificates)
3. Check role assignments for privilege escalation
4. Analyze sign-in logs for unusual IPs/locations
5. Review application ownership chain
6. Assess blast radius of compromised permissions
7. Document findings and initiate incident responseScripts 2
agent.py6.7 KB
#!/usr/bin/env python3
"""Azure Service Principal abuse detection agent."""
import json
import sys
import argparse
from datetime import datetime, timedelta
try:
from azure.identity import ClientSecretCredential
except ImportError:
ClientSecretCredential = None
try:
import requests
except ImportError:
print("Install: pip install requests")
sys.exit(1)
class AzureGraphClient:
"""Client for Microsoft Graph API to audit service principals."""
def __init__(self, tenant_id, client_id, client_secret):
self.tenant_id = tenant_id
self.token = self._get_token(tenant_id, client_id, client_secret)
self.headers = {"Authorization": f"Bearer {self.token}"}
def _get_token(self, tenant_id, client_id, client_secret):
resp = requests.post(
f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token",
data={
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret,
"scope": "https://graph.microsoft.com/.default",
},
timeout=15,
)
resp.raise_for_status()
return resp.json()["access_token"]
def _get(self, endpoint, params=None):
resp = requests.get(f"https://graph.microsoft.com/v1.0{endpoint}",
headers=self.headers, params=params, timeout=15)
resp.raise_for_status()
return resp.json()
def list_service_principals(self):
return self._get("/servicePrincipals", params={"$top": 200}).get("value", [])
def get_sp_credentials(self, sp_id):
return self._get(f"/servicePrincipals/{sp_id}").get("passwordCredentials", [])
def get_sp_app_roles(self, sp_id):
return self._get(f"/servicePrincipals/{sp_id}/appRoleAssignments").get("value", [])
def get_sign_in_logs(self, sp_id, days=7):
since = (datetime.utcnow() - timedelta(days=days)).strftime("%Y-%m-%dT%H:%M:%SZ")
return self._get("/auditLogs/signIns", params={
"$filter": f"appId eq '{sp_id}' and createdDateTime ge {since}",
"$top": 100,
}).get("value", [])
def get_directory_roles(self):
return self._get("/directoryRoles").get("value", [])
def get_role_members(self, role_id):
return self._get(f"/directoryRoles/{role_id}/members").get("value", [])
def audit_credential_expiry(client, principals):
"""Check for expired or soon-to-expire service principal credentials."""
findings = []
now = datetime.utcnow()
for sp in principals:
sp_id = sp.get("id", "")
display = sp.get("displayName", "")
creds = sp.get("passwordCredentials", [])
key_creds = sp.get("keyCredentials", [])
for cred in creds + key_creds:
end_str = cred.get("endDateTime", "")
if not end_str:
continue
try:
end = datetime.fromisoformat(end_str.rstrip("Z"))
except ValueError:
continue
if end < now:
findings.append({
"sp_name": display, "sp_id": sp_id,
"credential_id": cred.get("keyId", ""),
"issue": "Credential expired but not removed",
"severity": "MEDIUM", "expired": end_str,
})
elif end < now + timedelta(days=30):
findings.append({
"sp_name": display, "sp_id": sp_id,
"issue": f"Credential expires within 30 days ({end_str})",
"severity": "LOW",
})
if len(creds) > 2:
findings.append({
"sp_name": display, "sp_id": sp_id,
"issue": f"Multiple password credentials ({len(creds)}) — possible backdoor",
"severity": "HIGH",
})
return findings
def audit_privileged_sp_roles(client):
"""Find service principals with high-privilege directory roles."""
findings = []
high_priv_roles = {
"Global Administrator", "Application Administrator",
"Cloud Application Administrator", "Privileged Role Administrator",
}
roles = client.get_directory_roles()
for role in roles:
role_name = role.get("displayName", "")
if role_name not in high_priv_roles:
continue
members = client.get_role_members(role["id"])
for m in members:
if m.get("@odata.type") == "#microsoft.graph.servicePrincipal":
findings.append({
"sp_name": m.get("displayName", ""),
"sp_id": m.get("id", ""),
"role": role_name,
"issue": f"Service principal has {role_name} role",
"severity": "CRITICAL",
})
return findings
def run_audit(args):
"""Execute Azure service principal abuse detection audit."""
print(f"\n{'='*60}")
print(f" AZURE SERVICE PRINCIPAL ABUSE DETECTION")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
client = AzureGraphClient(args.tenant_id, args.client_id, args.client_secret)
report = {}
principals = client.list_service_principals()
report["total_service_principals"] = len(principals)
print(f"--- SERVICE PRINCIPALS ({len(principals)}) ---")
for sp in principals[:10]:
print(f" {sp.get('displayName','')}: {sp.get('appId','')[:20]}...")
cred_findings = audit_credential_expiry(client, principals)
report["credential_findings"] = cred_findings
print(f"\n--- CREDENTIAL AUDIT ({len(cred_findings)} findings) ---")
for f in cred_findings[:15]:
print(f" [{f['severity']}] {f['sp_name']}: {f['issue']}")
role_findings = audit_privileged_sp_roles(client)
report["privileged_role_findings"] = role_findings
print(f"\n--- PRIVILEGED ROLE ASSIGNMENTS ({len(role_findings)}) ---")
for f in role_findings:
print(f" [{f['severity']}] {f['sp_name']}: {f['role']}")
return report
def main():
parser = argparse.ArgumentParser(description="Azure SP Abuse Detection Agent")
parser.add_argument("--tenant-id", required=True, help="Azure AD tenant ID")
parser.add_argument("--client-id", required=True, help="App registration client ID")
parser.add_argument("--client-secret", required=True, help="App registration secret")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
report = run_audit(args)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
process.py8.5 KB
#!/usr/bin/env python3
"""
Azure Service Principal Abuse Detection Script
Queries Microsoft Graph API to detect suspicious service principal
activities including new credentials, privilege escalation, and
unauthorized ownership.
"""
import json
import subprocess
import sys
from datetime import datetime, timedelta
def run_az_cli(args):
"""Execute Azure CLI command and return parsed JSON output."""
cmd = ["az"] + args + ["--output", "json"]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode != 0:
return None, result.stderr
try:
return json.loads(result.stdout) if result.stdout.strip() else {}, None
except json.JSONDecodeError:
return result.stdout, None
def check_recent_credential_additions(days=7):
"""Check for service principals with recently added credentials."""
print(f"[*] Checking for SP credentials added in last {days} days...")
cutoff = (datetime.utcnow() - timedelta(days=days)).strftime("%Y-%m-%dT%H:%M:%SZ")
sps, err = run_az_cli(["ad", "sp", "list", "--all"])
if err:
print(f"[!] Error listing service principals: {err}")
return []
suspicious = []
for sp in sps or []:
display_name = sp.get("displayName", "Unknown")
app_id = sp.get("appId", "")
object_id = sp.get("id", "")
# Check password credentials
for cred in sp.get("passwordCredentials", []):
start_date = cred.get("startDateTime", "")
if start_date and start_date > cutoff:
suspicious.append({
"type": "password_credential",
"sp_name": display_name,
"app_id": app_id,
"object_id": object_id,
"credential_start": start_date,
"credential_end": cred.get("endDateTime", ""),
"key_id": cred.get("keyId", "")
})
# Check certificate credentials
for cert in sp.get("keyCredentials", []):
start_date = cert.get("startDateTime", "")
if start_date and start_date > cutoff:
suspicious.append({
"type": "certificate_credential",
"sp_name": display_name,
"app_id": app_id,
"object_id": object_id,
"credential_start": start_date,
"credential_end": cert.get("endDateTime", ""),
"key_id": cert.get("keyId", "")
})
if suspicious:
print(f"[!] Found {len(suspicious)} recently added credentials:")
for item in suspicious:
print(f" - [{item['type']}] {item['sp_name']} (AppId: {item['app_id']})")
print(f" Added: {item['credential_start']}")
else:
print("[+] No recently added credentials found")
return suspicious
def check_privileged_sp_roles():
"""Check for service principals with privileged directory roles."""
print("\n[*] Checking service principals with privileged roles...")
privileged_roles = [
"Global Administrator",
"Application Administrator",
"Cloud Application Administrator",
"Privileged Role Administrator",
"Exchange Administrator",
"SharePoint Administrator",
"User Administrator"
]
findings = []
roles, err = run_az_cli(["rest", "--method", "GET",
"--url", "https://graph.microsoft.com/v1.0/directoryRoles"])
if err:
print(f"[!] Error fetching roles: {err}")
return []
for role in (roles or {}).get("value", []):
role_name = role.get("displayName", "")
role_id = role.get("id", "")
if role_name not in privileged_roles:
continue
members, err = run_az_cli(["rest", "--method", "GET",
"--url", f"https://graph.microsoft.com/v1.0/directoryRoles/{role_id}/members"])
if err:
continue
for member in (members or {}).get("value", []):
odata_type = member.get("@odata.type", "")
if "servicePrincipal" in odata_type:
findings.append({
"role": role_name,
"sp_name": member.get("displayName", "Unknown"),
"sp_id": member.get("id", ""),
"app_id": member.get("appId", "")
})
if findings:
print(f"[!] Found {len(findings)} service principals with privileged roles:")
for f in findings:
print(f" - {f['sp_name']} has role: {f['role']}")
else:
print("[+] No service principals with privileged roles found")
return findings
def check_sp_ownership():
"""Identify applications with non-admin owners (potential abuse vector)."""
print("\n[*] Checking application ownership for potential abuse vectors...")
apps, err = run_az_cli(["ad", "app", "list", "--all"])
if err:
print(f"[!] Error listing applications: {err}")
return []
risky_ownership = []
for app in apps or []:
app_name = app.get("displayName", "Unknown")
app_id = app.get("appId", "")
object_id = app.get("id", "")
owners, err = run_az_cli(["rest", "--method", "GET",
"--url", f"https://graph.microsoft.com/v1.0/applications/{object_id}/owners"])
if err:
continue
owner_list = (owners or {}).get("value", [])
if len(owner_list) > 3: # Flag apps with many owners
risky_ownership.append({
"app_name": app_name,
"app_id": app_id,
"owner_count": len(owner_list),
"owners": [o.get("userPrincipalName", o.get("displayName", "Unknown")) for o in owner_list]
})
if risky_ownership:
print(f"[!] Found {len(risky_ownership)} applications with excessive owners:")
for item in risky_ownership:
print(f" - {item['app_name']}: {item['owner_count']} owners")
else:
print("[+] No applications with excessive ownership found")
return risky_ownership
def generate_detection_report(cred_findings, role_findings, ownership_findings):
"""Generate a consolidated detection report."""
timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
report = f"""
{'='*60}
Azure Service Principal Abuse Detection Report
Generated: {timestamp}
{'='*60}
## Summary
- Recent Credential Additions: {len(cred_findings)}
- Privileged Role Assignments: {len(role_findings)}
- Risky Application Ownership: {len(ownership_findings)}
- Overall Risk: {'HIGH' if cred_findings or role_findings else 'LOW'}
"""
if cred_findings:
report += "\n## Recently Added Credentials\n"
for f in cred_findings:
report += f" [{f['type']}] {f['sp_name']} - Added {f['credential_start']}\n"
if role_findings:
report += "\n## Privileged Service Principals\n"
for f in role_findings:
report += f" {f['sp_name']} -> {f['role']}\n"
if ownership_findings:
report += "\n## Risky Application Ownership\n"
for f in ownership_findings:
report += f" {f['app_name']} - {f['owner_count']} owners\n"
print(report)
return report
if __name__ == "__main__":
import argparse
parser = argparse.ArgumentParser(description="Azure Service Principal Abuse Detection")
parser.add_argument("--days", type=int, default=7, help="Lookback period in days")
parser.add_argument("--credentials", action="store_true", help="Check recent credential additions")
parser.add_argument("--roles", action="store_true", help="Check privileged role assignments")
parser.add_argument("--ownership", action="store_true", help="Check application ownership")
parser.add_argument("--full", action="store_true", help="Run all checks")
parser.add_argument("--output", type=str, help="Save report to file")
args = parser.parse_args()
cred_findings = []
role_findings = []
ownership_findings = []
if args.full or args.credentials:
cred_findings = check_recent_credential_additions(args.days)
if args.full or args.roles:
role_findings = check_privileged_sp_roles()
if args.full or args.ownership:
ownership_findings = check_sp_ownership()
if args.full or (args.credentials and args.roles):
report = generate_detection_report(cred_findings, role_findings, ownership_findings)
if args.output:
with open(args.output, "w") as f:
f.write(report)
print(f"\n[+] Report saved to {args.output}")