Skip to content
Threat Feed
high advisory

Azure AD Service Principal Created

The creation of a Service Principal in an Azure AD environment is detected, which can be used by adversaries to establish persistence and bypass multi-factor authentication.

This threat brief addresses the detection of Service Principal creation within Azure Active Directory (Azure AD) environments. The creation of Service Principals is a legitimate administrative function, but malicious actors can abuse them to establish persistence, bypass multi-factor authentication (MFA), and circumvent conditional access policies. By monitoring Azure AD audit logs for the "Add service principal" operation, defenders can identify potentially malicious Service Principal creation events. The references included highlight the risk of using seemingly legitimate applications for malicious purposes, such as persistence and initiating email campaigns, as well as backdooring Azure applications. Successful exploitation can lead to unauthorized resource access and prolonged undetected activity.

Attack Chain

  1. The adversary gains initial access to an Azure AD tenant, potentially through compromised credentials or other means.
  2. The attacker authenticates to the Azure AD environment with sufficient privileges to create Service Principals.
  3. The adversary initiates the creation of a new Service Principal using the Azure portal, PowerShell, or other management tools.
  4. The attacker configures the Service Principal with specific permissions, roles, and credentials to enable persistent access to resources.
  5. The adversary leverages the newly created Service Principal to authenticate and access protected resources, bypassing MFA and conditional access policies.
  6. The attacker performs malicious activities, such as data exfiltration, lateral movement, or resource manipulation, using the Service Principal's granted permissions.
  7. The adversary attempts to maintain the Service Principal's access and evade detection by disabling audit logs or other security controls.

Impact

Compromise via rogue Service Principal creation allows attackers to maintain persistent access to Azure AD resources, even if user accounts are secured with MFA. This can lead to significant data breaches, unauthorized access to critical systems, and prolonged undetected malicious activity within the Azure environment. The impact can range from data theft and service disruption to complete control over the organization's cloud infrastructure. The TrueSec blog post highlights the potential for using legitimate applications to establish persistence and initiate email campaigns.

Recommendation

  • Deploy the Sigma rule Azure AD Service Principal Created to your SIEM and tune for your environment to detect suspicious Service Principal creation events based on the Azure AD "Add service principal" operation.
  • Review and audit newly created Service Principals for unusual permissions or configurations using Azure AD audit logs (azure_monitor_aad).
  • Implement alerting and monitoring for Service Principals that bypass MFA or conditional access policies as described in the overview.
  • Investigate and validate any alerts generated by the Sigma rule by examining the associated Azure AD logs and user activity, correlating with the displayName field and other event details.
  • Monitor for unexpected activity from Service Principals, such as unusual resource access or privilege escalation attempts.
  • Review and harden Azure AD security policies to prevent unauthorized Service Principal creation.

Detection coverage 2

Azure AD Service Principal Created

high

Detects the creation of a Service Principal in Azure AD, which can be indicative of malicious activity.

sigma tactics: persistence techniques: T1136.003 sources: authentication, azure

Azure AD Service Principal Creation - Unusual User Agent

medium

Detects Service Principal creation with uncommon user agent strings, potentially indicating automated or malicious activity.

sigma tactics: persistence techniques: T1136.003 sources: authentication, azure

Detection queries are available on the platform. Get full rules →