Skip to content

AZT404.4 - Principal Impersonation: App Service#

By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Resource

App Service

Actions

  • Microsoft.Web/sites/write

Detections

Logs#

Data Source Operation Name Action Log Location
Resource Update website Microsoft.Web/sites/write Azure Activity Logs
Resource Start Web App Microsoft.Web/sites/start/action Azure Activity Logs

Queries#

AzureActivity 
 |where OperationNameValue=="Microsoft.Web/sites/write" or OperationNameValue=="Microsoft.Web/sites/start/action"