AZT201.2 - Service Principal

By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.

Resource

Azure Active Directory

Actions

N/A

Examples

Az PowerShell (Secret)Az PowerShell (Certificate)Azure CLI

$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
Connect-AzAccount -Credential $Credential -Tenant '$Context.Tenant.Id' -ServicePrincipal

$import = Import-PfxCertificate -FilePath $CertPath -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword -Exportable
Connect-AzAccount -CertificateThumbprint "$thumbprint" -ApplicationId "$appID" -Tenant "$tenant"

az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>

Detections

Logs

Data Source	Application	Resource	Log Provider
Azure Active Directory	{Service Principal's Application ID}	Windows Azure Service Management API	AADServicePrincipalSignInLogs

Detection Screenshots

Queries

Platform	Query
Log Analytics	AADServicePrincipalSignInLogs | where ServicePrincipalId == 'IDGOESHERE'

Azure Monitor Alert

Additional Resources

• https://docs.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-8.0.0
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
• https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal