AZT201.2 - Service Principal#
By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.
Resource
Azure Active Directory
Actions
N/A
Examples
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
Connect-AzAccount -Credential $Credential -Tenant '$Context.Tenant.Id' -ServicePrincipal
$import = Import-PfxCertificate -FilePath $CertPath -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword -Exportable
Connect-AzAccount -CertificateThumbprint "$thumbprint" -ApplicationId "$appID" -Tenant "$tenant"
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
Detections
Logs#
Data Source | Application | Resource | Log Location |
---|---|---|---|
Azure Active Directory | {Service Principal's Application ID} | Windows Azure Service Management API | Sign-in Logs |
Queries#
SigninLogs|where Status =="{\"errorCode\":0}" and ResourceDisplayName=="Windows Azure Service Management API"
Detection Screenshots#
Additional Resources