{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service-principal/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","cloud","service principal","persistence","lateral movement"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe creation of service principals in Azure can be a legitimate administrative task, but it can also be an indicator of malicious activity. Attackers may create service principals to establish persistence, move laterally within the Azure environment, or gain unauthorized access to resources. This activity is particularly concerning when performed by unfamiliar users or from unusual locations. Monitoring for unexpected service principal creation is crucial for detecting potential security breaches in Azure environments. This alert focuses on detecting the \u0026ldquo;Add service principal\u0026rdquo; message within Azure Activity Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure account, possibly through compromised credentials or a vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses Azure CLI with the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to create a new service principal using tools like Azure CLI or PowerShell.\u003c/li\u003e\n\u003cli\u003eAzure Activity Logs record the \u0026ldquo;Add service principal\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns roles and permissions to the newly created service principal, granting it access to specific resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the service principal for lateral movement, accessing resources or services within the Azure environment.\u003c/li\u003e\n\u003cli\u003eThe service principal is used for persistence, allowing the attacker to maintain access even if the initial access method is revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation and misuse of a service principal can lead to unauthorized access to sensitive data, resources, and services within the Azure environment. The impact can range from data breaches and service disruption to complete control over the Azure subscription, potentially affecting hundreds or thousands of resources and users. The attacker can leverage the compromised service principal to perform actions with the permissions assigned to it, leading to significant damage and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Service Principal Created\u0026rdquo; to your SIEM and tune for your environment to detect suspicious service principal creations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Azure Service Principal Created\u0026rdquo; rule (logsource: azure) by verifying the user identity, user agent, and hostname associated with the event.\u003c/li\u003e\n\u003cli\u003eReview and audit existing service principals and their assigned permissions to identify any anomalies or overly permissive configurations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise and unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-azure-sp-creation/","summary":"Detects the creation of a service principal in Azure, which could indicate potential attacker activity for lateral movement or persistence.","title":"Detection of Azure Service Principal Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-sp-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","service principal","stealth","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe removal of a service principal within an Azure environment can be indicative of various activities, ranging from legitimate administrative tasks to malicious actions undertaken by threat actors attempting to cover their tracks. While service principals are routinely removed as part of lifecycle management, unauthorized or unexpected removals should be investigated promptly. This detection focuses on identifying such removals through Azure Activity Logs, allowing security teams to quickly respond to potentially suspicious events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an Azure account through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a service principal used for malicious purposes or to maintain persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove the service principal to evade detection or disrupt incident response efforts.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the necessary commands or uses the Azure portal to initiate the service principal removal. This action is logged in the Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eThe Azure Activity Logs record an event with the message \u0026ldquo;Remove service principal\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the \u0026ldquo;Remove service principal\u0026rdquo; message in the Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the event, examining the user identity, user agent, and hostname associated with the removal.\u003c/li\u003e\n\u003cli\u003eIf the removal is deemed unauthorized or suspicious, further incident response procedures are initiated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful removal of a service principal by a malicious actor can disrupt legitimate applications relying on that principal for authentication and authorization. It can also hinder incident response efforts by eliminating a potential avenue for investigation or remediation. The impact can range from service disruptions to prolonged breaches if the attacker successfully covers their tracks. The number of affected applications and the severity of the disruption depend on the role and permissions associated with the removed service principal.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Service Principal Removed\u0026rdquo; to your SIEM and tune for your environment, focusing on identifying legitimate administrator activity to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instance of service principal removal, focusing on the user identity, user agent, and hostname from the Azure Activity Logs to determine legitimacy.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for related activities occurring before and after the service principal removal.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:27:00Z","date_published":"2024-01-03T14:27:00Z","id":"/briefs/2024-01-azure-service-principal-removed/","summary":"Detection of a service principal removal in Azure, potentially indicating malicious activity or an attempt to remove evidence of a compromise.","title":"Azure Service Principal Removal Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-service-principal-removed/"}],"language":"en","title":"CraftedSignal Threat Feed — Service Principal","version":"https://jsonfeed.org/version/1.1"}