detecting-azure-service-principal-abuse

Featured

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Azure Service Principal Abuse ## Overview Azure service principals are identity objects used by applications, services, and automation tools to access Azure resources. Attackers exploit service principals for privilege escalation, lateral movement, and persistent access. Key abuse patterns include: adding credentials to existing principals, assigning privileged roles, bypassing admin consent, and enumerating service principals for attack paths. Application ownership grants the ability to manage credentials and configure permissions, creating hidden privilege escalation paths. ## When to Use - When investigating security incidents that require detecting azure service principal abuse - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Azure subscription with Microsoft Entra ID P2 license - Access to Azure AD Audit Logs and Sign-in Logs - Microsoft Sentinel or Splunk for SIEM-based detection - Microsoft Graph API permissions for investigation - Global Reader or Security Reader role minimum ## Key Abuse Patterns ### 1. New Credentials Added to Service Principal Attackers add new client secrets or certificates to gain persistent access: **Detection Query (KQL - Sentinel):** ```kql AuditLogs | where OperationName has "Add service principal credentials" or OperationName h...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Azure · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-azure-lateral-movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-service-account-abuse

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-privilege-escalation-attempts

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-azure-activity-logs-for-threats

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-suspicious-oauth-application-consent

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks.

12,642 Updated today
mukul975