AZT405.3 - Azure AD Application: Application Registration Owner#

By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.

Resource

Azure Active Directory

Actions

microsoft.directory/servicePrincipals/credentials/update

Examples

Azure PowerShellaz cliAzure REST APIAzure Portal

New-AzADSpCredential -ServicePrincipalName ServicePrincipalName

az ad sp credential reset

POST /servicePrincipals/{id}/addKey

AppOwner

Detections

Logs#

Data Source	Operation Name	Category	Log Location
Azure AD	Update application – Certificates and secrets management	ApplicationManagement	AzureAD Audit Logs

Queries#

Log Analytics

AuditLogs 
|where OperationName =="Update application – Certificates and secrets management" and Category=="ApplicationManagement"

Additional Resources

https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.0.0#reset-credentials