Tag
low
advisory
Entra ID Service Principal Creation for Persistence
2 rules 1 TTPAn adversary may create a new service principal in Microsoft Entra ID to establish persistence and potentially impersonate legitimate services or applications, blending in with normal activity.
Microsoft Entra ID +1
azure
entra_id
service_principal
persistence
2r
1t
medium
advisory
Entra ID Service Principal Sign-in from Unusual Source ASN
2 rules 2 TTPsDetects Entra ID service principal sign-ins from a source ASN that is unusual based on a history window, potentially indicating compromised credentials or a rogue application.
Microsoft Entra ID
azure
entra_id
service_principal
initial_access
2r
2t
high
threat
O365 Service Principal Creation Detection
2 rules 1 TTPDetection of new service principal creation in O365 tenants, which can be abused by attackers for unauthorized access, API interaction, and data compromise.
Office 365 +5
NOBELIUM Group
cloud
o365
service_principal
persistence
azuread
2r
1t
medium
advisory
Entra ID Service Principal Credentials Created by Unusual User
2 rules 2 TTPsAnomalous addition of credentials to an Entra ID service principal by a user not typically performing this action can indicate potential persistence and privilege escalation by an attacker.
Entra ID +1
azure
entra_id
service_principal
persistence
privilege_escalation
2r
2t