Azure Owner Removed from Application or Service Principal

The removal of an owner from an Azure application or service principal can be indicative of malicious activity. An attacker who has gained initial access to an Azure environment might attempt to remove owners from service principals or applications to hinder incident response, establish persistence, or escalate their privileges. This action could be part of a broader attack aimed at compromising cloud resources and data. Detecting this activity is crucial for identifying potentially compromised accounts and preventing further damage within the Azure environment. The activity is logged within the Azure Activity Logs.

Attack Chain

1. The attacker gains initial access to an Azure account through compromised credentials or by exploiting a vulnerability.
2. The attacker enumerates available applications and service principals within the Azure environment to identify potential targets.
3. The attacker identifies an application or service principal with elevated permissions that would be beneficial to compromise.
4. The attacker attempts to remove the existing owner from the target application or service principal via the Azure portal, PowerShell, or Azure CLI.
5. The Azure Activity Logs record an event indicating “Remove owner from service principal” or “Remove owner from application”.
6. If successful, the attacker may assign themselves as the new owner or further modify the permissions of the application or service principal to achieve their objectives.
7. The attacker leverages the compromised application or service principal to access sensitive resources, exfiltrate data, or deploy malicious workloads.

Impact

Successful removal of an owner from an Azure application or service principal can lead to a significant compromise of cloud resources. This action can disrupt normal operations, allow unauthorized access to sensitive data, and provide a persistent foothold for attackers within the Azure environment. The lack of an owner can prevent proper oversight and incident response, potentially leading to prolonged compromise and increased damage.

Recommendation

• Deploy the Sigma rule “Azure Owner Removed From Application or Service Principal” to your SIEM and tune for your environment to detect suspicious owner removal activity in Azure Activity Logs.
• Investigate any alerts generated by the Sigma rule, focusing on unfamiliar user identities and unusual user agents in the Azure Activity Logs.
• Implement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise, which is often the initial access vector.
• Regularly review and audit the permissions assigned to applications and service principals to identify and remediate any excessive or unnecessary privileges.