Skip to content

AZT501.2 - Account Manipulation: Service Principal Manipulation#

An adverary may manipulate a service principal to maintain access in an Azure tenant

Resource

Azure Active Directory

Actions

  • microsoft.directory/servicePrincipals/enable
  • microsoft.directory/servicePrincipals/credentials/update
  • microsoft.directory/servicePrincipals/owners/update

Examples

Update-AzADServicePrincipal

az ad sp update

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/{id}

directorylogs

Detections

Logs#

Data Source Operation Name Action Log Provider
Azure Active Directory Update application – Certificates and secrets management microsoft.directory/servicePrincipals/credentials/update AuditLogs
Azure Active Directory Update service principal microsoft.directory/servicePrincipals/credentials/update AuditLogs
Azure Active Directory Update user microsoft.directory/users/password/update AuditLogs

Queries#

Platform Query
Log Analytics AzureActivity | where OperationName == 'Update application – Certificates and secrets management' or OperationName =='Update service principal' or OperationName =='Update user'

Azure Monitor Alert#

Deploy to Azure

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals