Account Manipulation: Additional Azure Service Principal Credentials
Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials to maintain persistent access to victim Azure accounts. Azure Service Principals support both password and certificate credentials. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.
Use multi-factor authentication for user and privileged accounts.
Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.
|Privileged Account Management||
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Monitor Azure Activity Logs for service principal modifications.
Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.
- Microsoft. (2020, January 8). Create an Azure service principal with Azure CLI. Retrieved January 19, 2020.
- Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.
- Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.