Skip to content

AZT405.3 - Azure AD Application: Application Registration Owner#

By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.

Resource

Azure Active Directory

Actions

  • microsoft.directory/servicePrincipals/credentials/update

Detections

Logs#

Data Source Operation Name Category Log Location
Azure AD Update application – Certificates and secrets management ApplicationManagement AzureAD Audit Logs

Queries#

AuditLogs 
|where OperationName =="Update application – Certificates and secrets management" and Category=="ApplicationManagement"