AZT405.3 - Azure AD Application: Application Registration Owner#
By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.
Resource
Azure Active Directory
Actions
- microsoft.directory/servicePrincipals/credentials/update
Examples
Detections
Logs#
Data Source | Operation Name | Category | Log Location |
---|---|---|---|
Azure AD | Update application – Certificates and secrets management | ApplicationManagement | AzureAD Audit Logs |
Queries#
AuditLogs
|where OperationName =="Update application – Certificates and secrets management" and Category=="ApplicationManagement"