Skip to content
Threat Feed
medium advisory

Entra ID Service Principal Credentials Created by Unusual User

Anomalous addition of credentials to an Entra ID service principal by a user not typically performing this action can indicate potential persistence and privilege escalation by an attacker.

This detection identifies when new Service Principal credentials (client secrets or certificates) are added in Microsoft Entra ID by a user who has not previously performed this action in the last 10 days. Attackers who gain access to a user account may add rogue credentials to service principals to maintain unauthorized access to cloud resources, bypassing MFA requirements. This activity may indicate an attacker attempting to establish persistence or escalate privileges within the Azure environment. The rule leverages the azure.auditlogs dataset to identify unusual activity related to service principal credential management. This is a New Terms rule that detects rare users performing sensitive identity-related actions in Entra ID.

Attack Chain

  1. Attacker gains initial access to a user account through compromised credentials or other means (T1078).
  2. Attacker identifies a target service principal with valuable permissions within the Azure environment.
  3. Attacker navigates to the Entra ID portal or uses Azure CLI/PowerShell to manage the target service principal.
  4. Attacker adds a new credential (client secret or certificate) to the service principal using Add service principal credentials operation.
  5. The operation is logged in the Azure Audit Logs with event outcome as success and operation name containing the event.
  6. Attacker uses the newly added credential to authenticate as the service principal and access protected resources (T1098.001).
  7. Attacker leverages the service principal's permissions to perform unauthorized actions, such as data exfiltration or resource modification.
  8. The attacker maintains persistent access to the environment through the rogue service principal credential.

Impact

A successful attack can lead to unauthorized access to sensitive data and resources within the Azure environment. The impact includes potential data breaches, financial loss, and reputational damage. By compromising a service principal, attackers can bypass multi-factor authentication (MFA) and other security controls, leading to privilege escalation and lateral movement. If successful, the attacker could access data normally protected by MFA requirements.

Recommendation

  • Deploy the Sigma rule "Entra ID Service Principal Credentials Created by Unusual User" to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule by reviewing the user account, source IP, and credential type.
  • Review RBAC and Least Privilege: Ensure that only authorized identities have permission to add credentials to service principals (T1098.001).
  • Enable logging for Azure Audit Logs to provide the data source for the Sigma rules.
  • Consider implementing access control policies that require approvals for modifying service principals or adding credentials.

Detection coverage 2

Entra ID Service Principal Credentials Added

medium

Detects when new Service Principal credentials have been added in Microsoft Entra ID.

sigma tactics: persistence, privilege_escalation techniques: T1098.001 sources: audit, azure

Entra ID Service Principal Credentials Created by Unusual User

medium

Detects addition of credentials to an Entra ID service principal by a user not previously performing this action.

sigma tactics: persistence, privilege_escalation techniques: T1098.001 sources: audit, azure

Detection queries are available on the platform. Get full rules →