AZT501.2 - Account Manipulation: Service Principal Manipulation#

An adverary may manipulate a service principal to maintain access in an Azure tenant

Resource

Azure Active Directory

Actions

microsoft.directory/servicePrincipals/enable
microsoft.directory/servicePrincipals/credentials/update
microsoft.directory/servicePrincipals/owners/update

Examples

Az PowerShellAzure CLIMicrosoft Graph APIAzure Portal

Update-AzADServicePrincipal

az ad sp update

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/{id}

directorylogs

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Azure Active Directory	Update application – Certificates and secrets management	microsoft.directory/servicePrincipals/credentials/update	AzureAD Audit Logs
Azure Active Directory	Update service principal	microsoft.directory/servicePrincipals/credentials/update	AzureAD Audit Logs
Azure Active Directory	Update user	microsoft.directory/users/password/update	AzureAD Audit Logs

Queries#

Log Analytics

|where OperationName =="Update application – Certificates and secrets management" or OperationName =="Update service principal" or OperationName =="Update user"

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals