- Home
- Techniques
- Enterprise
- Account Manipulation
- Additional Azure Service Principal Credentials
Account Manipulation: Additional Azure Service Principal Credentials
Other sub-techniques of Account Manipulation (4)
ID | Name |
---|---|
T1098.001 | Additional Azure Service Principal Credentials |
T1098.002 | Exchange Email Delegate Permissions |
T1098.003 | Add Office 365 Global Administrator Role |
T1098.004 | SSH Authorized Keys |
Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials[1] to maintain persistent access to victim Azure accounts.[2][3] Azure Service Principals support both password and certificate credentials.[4] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[5]
Mitigations
Mitigation | Description |
---|---|
Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. |
Network Segmentation |
Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
Privileged Account Management |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Detection
Monitor Azure Activity Logs for service principal modifications.
Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.
References
- Microsoft. (2020, January 8). Create an Azure service principal with Azure CLI. Retrieved January 19, 2020.
- Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.
- Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.