/
azure_ad_service_principal_created.yml
71 lines (71 loc) · 3.15 KB
/
azure_ad_service_principal_created.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Azure AD Service Principal Created
id: f8ba49e7-ffd3-4b53-8f61-e73974583c5d
version: 1
date: '2022-08-17'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies the creation of a Service Principal
in an Azure AD environment. An Azure Service Principal is an identity designed to
be used with applications, services, and automated tools to access resources. It
is similar to a service account within an Active Directory environment. Service
Principal authentication does not support multi-factor authentication nor conditional
access policies. Adversaries and red teams alike who have obtained administrative
access may create a Service Principal to establish Persistence and obtain single-factor
access to an Azure AD environment.
data_source:
- Azure Active Directory Add service principal
search: '`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=*
| rename properties.* as *
| rename targetResources{}.displayName as displayName
| rename targetResources{}.type as type
| stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_created_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.
known_false_positives: Administrator may legitimately create Service Principal. Filter
as needed.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
- https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0
- https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns
- https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
- https://attack.mitre.org/techniques/T1136/003/
tags:
analytic_story:
- Azure Active Directory Persistence
- NOBELIUM Group
asset_type: Azure Active Directory
confidence: 90
impact: 50
message: Service Principal named $displayName$ created by $user$
mitre_attack_id:
- T1136.003
observable:
- name: displayName
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- properties.targetResources{}.displayName
- properties.targetResources{}.type
- user
- properties.result
risk_score: 45
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log
source: Azure AD
sourcetype: azure:monitor:aad
update_timestamp: true