Azure AD Service Principal Enumeration via Microsoft Graph API
An attacker uses Microsoft Graph API to enumerate multiple Azure AD service principals, potentially using tools like AzureHound or ROADtools, to gather information for privilege escalation or lateral movement.
This brief focuses on the enumeration of Azure Active Directory (AD) service principals using the Microsoft Graph API. Attackers, potentially leveraging tools like AzureHound or ROADtools, can query the Graph API to identify and gather information about service principals within an Azure AD environment. This activity often indicates reconnaissance efforts aimed at identifying potential targets for privilege escalation or lateral movement. The detection identifies instances where 10 or more service principals are enumerated. Defenders should be aware of this technique as it allows attackers to map out the attack surface within Azure AD.
Attack Chain
- The attacker gains initial access to an Azure AD account, possibly through compromised credentials or other means.
- The attacker authenticates to the Microsoft Graph API using the compromised account.
- The attacker crafts a series of API requests targeting the
/beta/servicePrincipalsor/v1.0/servicePrincipalsendpoints. - The attacker executes these requests to enumerate service principals within the Azure AD environment.
- The attacker collects the responses from the Graph API, extracting relevant information about each service principal, such as application IDs, display names, and service principal names (SPNs).
- The attacker analyzes the collected data to identify potential targets for privilege escalation or lateral movement based on the permissions and roles associated with each service principal.
- The attacker attempts to exploit misconfigured service principals or applications with excessive permissions, potentially leading to unauthorized access to sensitive resources or data.
Impact
Successful enumeration of Azure AD service principals can provide attackers with a comprehensive understanding of the organization's cloud infrastructure. This knowledge can be leveraged to identify vulnerable service principals, misconfigured applications, and potential pathways for privilege escalation and lateral movement. The impact can range from unauthorized access to sensitive data to full compromise of the Azure AD environment.
Recommendation
- Deploy the Sigma rule
Azure AD Service Principal Enumerationto your SIEM and tune the threshold (spn_count) based on your environment's baseline activity. - Investigate any alerts generated by the
Azure AD Service Principal Enumerationrule, focusing on the user accounts (user_id) and source IPs (src) involved in the enumeration activity. - Monitor Azure AD audit logs for unusual or excessive API requests targeting the
/beta/servicePrincipalsand/v1.0/servicePrincipalsendpoints as mentioned in the rule definition. - Review and restrict service principal permissions based on the principle of least privilege to minimize the potential impact of compromised service principals.
Detection coverage 2
Azure AD Service Principal Enumeration
mediumDetects enumeration of multiple Azure AD service principals via Microsoft Graph API, potentially indicating reconnaissance activity.
Azure AD Service Principal Enumeration - High Volume
highDetects high volume enumeration of Azure AD service principals via Microsoft Graph API, potentially indicating automated reconnaissance activity.
Detection queries are available on the platform. Get full rules →