AZT405.3 - Azure AD Application: Application Registration Owner#

By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.

Resource

Azure Active Directory

Actions

microsoft.directory/servicePrincipals/credentials/update

Examples

Azure PowerShellaz cliAzure REST APIAzure Portal

New-AzADSpCredential -ServicePrincipalName ServicePrincipalName

az ad sp credential reset

POST /servicePrincipals/{id}/addKey

AppOwner

Detections

Logs#

Data Source	Operation Name	Category	Log Provider
Azure AD	Update application – Certificates and secrets management	ApplicationManagement	AuditLogs

Queries#

Platform	Query
Log Analytics	`AuditLogs \| where OperationName == 'Update application – Certificates and secrets management' and Category== 'ApplicationManagement'`

Azure Monitor Alert#

Additional Resources

https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.0.0#reset-credentials