Skip to content

AZT201.2 - Service Principal#

By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.

Resource

Azure Active Directory

Actions

N/A

Examples

$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
Connect-AzAccount -Credential $Credential -Tenant '$Context.Tenant.Id' -ServicePrincipal
$import = Import-PfxCertificate -FilePath $CertPath -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword -Exportable
Connect-AzAccount -CertificateThumbprint "$thumbprint" -ApplicationId "$appID" -Tenant "$tenant"
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>

Detections

Logs#

Data Source Application Resource Log Location
Azure Active Directory {Service Principal's Application ID} Windows Azure Service Management API Sign-in Logs

Queries#

SigninLogs|where Status =="{\"errorCode\":0}" and ResourceDisplayName=="Windows Azure Service Management API"

Detection Screenshots#

spclilogin