Azure AD Service Principal Owner Added
Detection of a new owner being added to an Azure AD Service Principal, potentially indicating persistence or privilege escalation by an attacker exploiting the lack of multi-factor authentication on service principals.
This analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. Service Principals are often targeted by attackers due to their lack of multi-factor authentication (MFA) and conditional access support. The detection leverages Azure Active Directory events from the AuditLog log category, specifically monitoring the "Add owner to application" operation. This activity is a significant indicator of potential persistence or privilege escalation, as a compromised Service Principal can grant unauthorized access to critical Azure AD resources. A successful attack using this technique could allow attackers to maintain access to the Azure AD environment with only single-factor authentication, bypassing typical security controls. This detection is based on analysis of activity patterns associated with the NOBELIUM group.
Attack Chain
- The attacker compromises an initial user account or service principal through credential theft or other means (e.g., phishing).
- The attacker leverages the compromised account to enumerate existing Service Principals within the Azure AD tenant.
- The attacker identifies a target Service Principal with elevated permissions or access to critical resources.
- The attacker executes the "Add owner to application" operation, adding a new owner (controlled by the attacker) to the target Service Principal. This operation is logged in Azure AD Audit Logs.
- The newly added owner account (controlled by the attacker) now has control over the Service Principal.
- The attacker uses the compromised Service Principal to access resources and data within the Azure AD environment, bypassing MFA and conditional access controls.
- The attacker moves laterally within the cloud environment, compromising other services and resources.
- The attacker achieves their final objective, which may include data exfiltration, system disruption, or further privilege escalation.
Impact
A successful attack leveraging Service Principal owner addition can result in significant damage. Attackers can gain persistent access to the Azure AD environment, bypassing MFA and conditional access. This can lead to unauthorized access to sensitive data, compromise of critical cloud resources, and potential disruption of business operations. Due to the nature of cloud environments, a single compromised Service Principal can grant access to a wide range of services and data, impacting numerous users and applications.
Recommendation
- Deploy the Sigma rule
Azure AD Service Principal Owner Addedto your SIEM and tune for your environment to detect the addition of new owners to Service Principals based on Azure AD Audit Logs. - Investigate any detected instances of Service Principal owner additions for potentially malicious activity, focusing on the
initiatedByandnewOwnerfields in the logs. - Implement strict controls and monitoring around Service Principal creation and management.
- Review and reduce the number of Service Principals with excessive privileges.
- Investigate related
Azure Active Directory PersistenceandAzure Active Directory Privilege Escalationanalytic stories after detecting this activity.
Detection coverage 2
Azure AD Service Principal Owner Added
highDetects the addition of a new owner to a Service Principal within an Azure AD tenant, which could indicate malicious activity.
Azure AD Service Principal Owner Added - Cross User
highDetects when a different user adds a new owner to a Service Principal within an Azure AD tenant, which could indicate malicious activity.
Detection queries are available on the platform. Get full rules →