Name:Azure AD Service Principal Enumeration id:3f0647ce-add5-4436-8039-cbd1abe74563 version:1 date:2025-01-06 author:Dean Luxton status:production type:TTP Description:This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools. Data_source:
-Azure Active Directory MicrosoftGraphActivityLogs
search:`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals) | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/" | rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/" | eval spn=coalesce(servicePrincipalb,servicePrincipalv1) | stats min(_time) as _time dc(spn) as spn_count values(user) as user values(user_category) as user_category values(src_category) as src_category count by src tenantId properties.userAgent | rename properties.userAgent as user_agent | where spn_count>9 | `azure_ad_service_principal_enumeration_filter`
how_to_implement:Run this detection over historical data to identify then tune out any known services which may be performing this action. Thresholds can be lowered or raised to meet requirements. The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest MicrosoftGraphActivityLogs via Azure EventHub. See reference for links for further details on how to onboard this log source. known_false_positives:Unknown References: -https://github.com/SpecterOps/AzureHound -https://github.com/dirkjanm/ROADtools -https://splunkbase.splunk.com/app/3110 -https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Azure Active Directory Privilege Escalation' - 'Compromised User Account' asset_type:Azure Tenant confidence:100 impact:80 message:$spn_count$ Service Principals have been enumerated by $user$ from IP $src$ mitre_attack_id: - 'T1087.004' - 'T1526' observable: name:'src' type:'IP Address' - role: - 'Attacker' name:'tenantId' type:'User' - role: - 'Victim' name:'user_agent' type:'Other' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'category' - 'properties.requestUri' - 'src' - 'user' risk_score:80 security_domain:identity
