Skip to content

AZT603.1 - Service Principal Secret Reveal: Function App Settings#

If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.

Resource

Function App

Actions

  • Microsoft.web/sites/functions/read
  • Microsoft.Web/sites/read
  • Microsoft.Web/sites/config/list/action

Examples

Get-AzFunctionAppSetting

az functionapp config appsettings

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/appsettings?api-version=2021-02-01

Detections

Detection Details#

No logs are generated when retrieving the settings of a function app.

Queries#

Platform Query
Log Analytics AADServicePrincipalSignInLogs | where ServicePrincipalName == 'NAMEOFFUNCTIONAPP'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/automation/automation-runbook-execution