Skip to content
Threat Feed
medium advisory

Azure AD Service Principal Enumeration via Microsoft Graph API

An attacker uses Microsoft Graph API to enumerate multiple Azure AD service principals, potentially using tools like AzureHound or ROADtools, to gather information for privilege escalation or lateral movement.

This brief focuses on the enumeration of Azure Active Directory (AD) service principals using the Microsoft Graph API. Attackers, potentially leveraging tools like AzureHound or ROADtools, can query the Graph API to identify and gather information about service principals within an Azure AD environment. This activity often indicates reconnaissance efforts aimed at identifying potential targets for privilege escalation or lateral movement. The detection identifies instances where 10 or more service principals are enumerated. Defenders should be aware of this technique as it allows attackers to map out the attack surface within Azure AD.

Attack Chain

  1. The attacker gains initial access to an Azure AD account, possibly through compromised credentials or other means.
  2. The attacker authenticates to the Microsoft Graph API using the compromised account.
  3. The attacker crafts a series of API requests targeting the /beta/servicePrincipals or /v1.0/servicePrincipals endpoints.
  4. The attacker executes these requests to enumerate service principals within the Azure AD environment.
  5. The attacker collects the responses from the Graph API, extracting relevant information about each service principal, such as application IDs, display names, and service principal names (SPNs).
  6. The attacker analyzes the collected data to identify potential targets for privilege escalation or lateral movement based on the permissions and roles associated with each service principal.
  7. The attacker attempts to exploit misconfigured service principals or applications with excessive permissions, potentially leading to unauthorized access to sensitive resources or data.

Impact

Successful enumeration of Azure AD service principals can provide attackers with a comprehensive understanding of the organization's cloud infrastructure. This knowledge can be leveraged to identify vulnerable service principals, misconfigured applications, and potential pathways for privilege escalation and lateral movement. The impact can range from unauthorized access to sensitive data to full compromise of the Azure AD environment.

Recommendation

  • Deploy the Sigma rule Azure AD Service Principal Enumeration to your SIEM and tune the threshold (spn_count) based on your environment's baseline activity.
  • Investigate any alerts generated by the Azure AD Service Principal Enumeration rule, focusing on the user accounts (user_id) and source IPs (src) involved in the enumeration activity.
  • Monitor Azure AD audit logs for unusual or excessive API requests targeting the /beta/servicePrincipals and /v1.0/servicePrincipals endpoints as mentioned in the rule definition.
  • Review and restrict service principal permissions based on the principle of least privilege to minimize the potential impact of compromised service principals.

Detection coverage 2

Azure AD Service Principal Enumeration

medium

Detects enumeration of multiple Azure AD service principals via Microsoft Graph API, potentially indicating reconnaissance activity.

sigma tactics: discovery techniques: T1087.004, T1526 sources: webserver, linux

Azure AD Service Principal Enumeration - High Volume

high

Detects high volume enumeration of Azure AD service principals via Microsoft Graph API, potentially indicating automated reconnaissance activity.

sigma tactics: discovery techniques: T1087.004, T1526 sources: webserver, linux

Detection queries are available on the platform. Get full rules →