Name:Azure AD Service Principal Created id:f8ba49e7-ffd3-4b53-8f61-e73974583c5d version:3 date:2024-09-30 author:Gowthamaraj Rajendran, Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the "Add service principal" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity. Data_source:
-Azure Active Directory Add service principal
search:`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename targetResources{}.type as type | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName by type, user, result, operationName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_created_filter`
how_to_implement:You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category. known_false_positives:Administrator may legitimately create Service Principal. Filter as needed. References: -https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals -https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0 -https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns -https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html -https://attack.mitre.org/techniques/T1136/003/ drilldown_searches: name:'View the detection results for - "$displayName$"' search:'%original_detection_search% | search displayName = "$displayName$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$displayName$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Azure Active Directory Persistence' - 'NOBELIUM Group' asset_type:Azure Active Directory confidence:90 impact:50 message:Service Principal named $displayName$ created by $user$ mitre_attack_id: - 'T1136.003' observable: name:'displayName' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'properties.targetResources{}.displayName' - 'properties.targetResources{}.type' - 'user' - 'properties.result' risk_score:45 security_domain:threat
