Skip to content
Threat Feed
high advisory

Azure AD Service Principal Authentication Monitoring

This analytic identifies authentication events of service principals in Azure Active Directory, monitoring sign-in frequency, timing, source IPs, and accessed resources to detect potential anomalies indicative of compromised credentials or malicious activities.

This analytic focuses on detecting suspicious authentication patterns of service principals within Azure Active Directory. Service principals are non-human identities used by applications and services to access Azure resources. Monitoring their authentication activity is crucial because compromised service principal credentials can grant attackers unauthorized access to sensitive data and services. The detection logic analyzes Azure AD sign-in logs (ServicePrincipalSignInLogs) to identify anomalies in sign-in frequency, source IP addresses, accessed resources, and other relevant attributes. Analyzing service principal authentication is vital for SOC teams as it allows them to distinguish between legitimate application behavior and potentially malicious activities, such as account takeovers. This detection is designed to work with data ingested via the Splunk Add-on for Microsoft Cloud Services.

Attack Chain

  1. The attacker gains unauthorized access to a service principal's credentials through credential stuffing or other means.
  2. The attacker uses the compromised service principal credentials to authenticate to Azure AD.
  3. The attacker leverages the authenticated service principal to access resources within the Azure environment.
  4. The attacker attempts to elevate privileges by accessing resources and services that the service principal is authorized to manage.
  5. The attacker compromises sensitive data by accessing storage accounts, databases, or other data repositories.
  6. The attacker moves laterally within the Azure environment by using the compromised service principal to authenticate to other resources and services.
  7. The attacker establishes persistence by creating new service principals or modifying existing ones.
  8. The attacker exfiltrates sensitive data from the Azure environment.

Impact

A successful attack targeting Azure AD service principals can have severe consequences, including unauthorized access to critical resources, data breaches, and lateral movement within the Azure environment. Attackers can leverage compromised service principals to steal sensitive data, disrupt services, and escalate privileges. Depending on the scope of access, the damage could range from a targeted data breach to a widespread compromise of the entire Azure environment.

Recommendation

  • Deploy the Sigma rule "Azure AD Service Principal Authentication Anomaly" to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule "Azure AD Service Principal Authentication Anomaly" to determine if the activity is legitimate or malicious.
  • Enable Azure Active Directory Sign-in activity logging to capture the necessary data for this detection.
  • Review service principal permissions regularly to ensure that they are least-privilege and appropriate for the service's function.
  • Implement multi-factor authentication (MFA) for service principals where possible to prevent unauthorized access.
  • Monitor the azure_monitor_aad data source, specifically targeting "Sign-in activity" within ServicePrincipalSignInLogs.

Detection coverage 2

Azure AD Service Principal Authentication Anomaly

medium

Detects anomalous Azure AD Service Principal authentication events based on unusual source IPs.

sigma tactics: initial_access techniques: T1078.004 sources: network_connection, azure

Azure AD Service Principal Sign-in without MFA

info

Detects service principal sign-ins without multi-factor authentication.

sigma tactics: initial_access techniques: T1078.004 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →