AZT405.2 - Azure AD Application: Application API Permissions#

By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.

Resource

Azure Active Directory

Actions

Since the attacker controls the application, no actions are needed.

Examples

Azure REST APIAzure Portal

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2021-02-01

APIPerm

Detections

Logs#

Data Source	Operation Name	Action	Log Provider
Azure Active Directory	N/A	N/A	AADServicePrincipalSignInLogs

Queries#

Platform	Query
Log Analytics	`AADServicePrincipalSignInLogs \| where ServicePrincipalId == 'IDGOESHERE'`

Azure Monitor Alert#

Additional Resources

https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp