AZT502.2 - Account Creation: Service Principal Creation#
An adversary may create an application & service principal in Azure Active Directory
Resource
Azure Active Directory
Actions
- microsoft.directory/servicePrincipals/create
- microsoft.directory/applications/create
Examples
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
Azure Active Directory | Add service principal | microsoft.directory/servicePrincipals/create | AzureAD Audit Logs |
Azure Active Directory | Add application | microsoft.directory/applications/create | AzureAD Audit Logs |
Azure Active Directory | Add owner to application | microsoft.directory/servicePrincipals/owners/update | AzureAD Audit Logs |
Queries#
AuditLogs
|where OperationName =="Add service principal" or OperationName =="Add application" or OperationName =="Add owner to application"