Account Manipulation: Additional Azure Service Principal Credentials

Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials[1] to maintain persistent access to victim Azure accounts.[2][3] Azure Service Principals support both password and certificate credentials.[4] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[5]

ID: T1098.001
Sub-technique of:  T1098
Tactic: Persistence
Platforms: Azure, Azure AD
Permissions Required: Administrator
Data Sources: Azure activity logs
Contributors: Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Oleg Kolesnikov, Securonix
Version: 1.0
Created: 19 January 2020
Last Modified: 15 July 2020

Mitigations

Mitigation Description
Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

Network Segmentation

Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

Privileged Account Management

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

Monitor Azure Activity Logs for service principal modifications.

Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.

References