Detection of Azure Service Principal Creation

The creation of service principals in Azure can be a legitimate administrative task, but it can also be an indicator of malicious activity. Attackers may create service principals to establish persistence, move laterally within the Azure environment, or gain unauthorized access to resources. This activity is particularly concerning when performed by unfamiliar users or from unusual locations. Monitoring for unexpected service principal creation is crucial for detecting potential security breaches in Azure environments. This alert focuses on detecting the “Add service principal” message within Azure Activity Logs.

Attack Chain

1. An attacker gains initial access to an Azure account, possibly through compromised credentials or a vulnerable application.
2. The attacker authenticates to the Azure portal or uses Azure CLI with the compromised credentials.
3. The attacker executes commands to create a new service principal using tools like Azure CLI or PowerShell.
4. Azure Activity Logs record the “Add service principal” event.
5. The attacker assigns roles and permissions to the newly created service principal, granting it access to specific resources.
6. The attacker leverages the service principal for lateral movement, accessing resources or services within the Azure environment.
7. The service principal is used for persistence, allowing the attacker to maintain access even if the initial access method is revoked.

Impact

Successful creation and misuse of a service principal can lead to unauthorized access to sensitive data, resources, and services within the Azure environment. The impact can range from data breaches and service disruption to complete control over the Azure subscription, potentially affecting hundreds or thousands of resources and users. The attacker can leverage the compromised service principal to perform actions with the permissions assigned to it, leading to significant damage and financial loss.

Recommendation

• Deploy the Sigma rule “Azure Service Principal Created” to your SIEM and tune for your environment to detect suspicious service principal creations.
• Investigate any alerts generated by the “Azure Service Principal Created” rule (logsource: azure) by verifying the user identity, user agent, and hostname associated with the event.
• Review and audit existing service principals and their assigned permissions to identify any anomalies or overly permissive configurations.
• Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise and unauthorized access.