Azure Service Principal Authentication from Multiple Countries
Detects Azure service principals authenticating from multiple countries within a short time, indicating potentially compromised credentials being used from different geographic locations.
This detection identifies instances where Azure service principals authenticate from multiple countries within a one-hour window. Service principals, designed for non-interactive automation and application access, typically authenticate from consistent locations tied to their deployment infrastructure. Unusual authentication patterns, especially from disparate geographic regions, suggest credential compromise, such as stolen credentials, phished service principal secrets, or compromised automation accounts. This activity may indicate an attacker attempting to gain unauthorized access to cloud resources by leveraging a valid, but compromised, service principal. The references include examples of threat actors using stolen cloud credentials to perform lateral movement and deploy ransomware.
Attack Chain
- Attacker gains initial access to service principal credentials through phishing, credential stuffing, or other means.
- Attacker uses the stolen credentials to authenticate to Azure Active Directory.
- Attacker establishes connections from multiple distinct geographic locations, potentially using VPNs or proxies to mask their true location.
- The service principal successfully authenticates due to the valid credentials.
- Attacker leverages the service principal's assigned roles and permissions to access resources within the Azure environment. This may include storage accounts, virtual machines, or databases.
- Attacker performs reconnaissance to identify valuable data and services.
- Attacker exfiltrates sensitive data or deploys malicious workloads, such as ransomware, to disrupt services and demand ransom payments.
Impact
Compromised service principal credentials can lead to unauthorized access to sensitive data, service disruption, and potential financial loss. Successful attacks may result in data breaches, ransomware deployment, and significant damage to an organization's reputation. While the specific number of victims is unknown, similar cloud-based attacks have affected organizations across various sectors.
Recommendation
- Deploy the Sigma rule
Azure Service Principal Authentication from Multiple Countriesto your SIEM to detect suspicious multi-country sign-ins (seerulessection). - Review Azure AD Audit Logs for recent changes to service principals, such as new credentials or owner changes, as described in the investigation steps.
- Rotate service principal credentials immediately upon detection of suspicious activity and revoke active sessions as recommended in the investigation guide.
- Implement Conditional Access policies to restrict service principal authentication by location, when supported, as outlined in the response and remediation guidance.
- Baseline the expected geographic distribution for each service principal as mentioned in the false positives analysis to reduce false positives.
Detection coverage 2
Azure Service Principal Authentication from Multiple Countries
highDetects when an Azure service principal authenticates from multiple countries within a short time window, potentially indicating compromised credentials.
Azure Service Principal Sign-in from Multiple Cities
mediumDetects when an Azure service principal authenticates from multiple cities within a short time window, suggesting compromised credentials.
Detection queries are available on the platform. Get full rules →