T1098.001

Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. This includes adding credentials to Azure/Entra ID Service Principals and Applications (x509 keys and passwords), generating or importing SSH keys in AWS/GCP, creating AWS IAM access keys or login profiles, and adding app passwords to Entra ID user accounts to bypass MFA. These techniques allow persistent access even if the original compromised credentials are rotated.

Microsoft Sentinel / Defender

kusto

// T1098.001 - Additional Cloud Credentials Detection
// Covers Azure/Entra ID service principal credential additions, AWS key creation, and related activity
let LookbackPeriod = 24h;
// --- Entra ID / Azure: Service Principal / App Credential Additions ---
let EntraCredentialAdditions = AuditLogs
| where TimeGenerated > ago(LookbackPeriod)
| where OperationName in (
    "Add service principal credentials",
    "Update application – Certificates and secrets management",
    "Add application",
    "Update service principal",
    "Add owner to application",
    "Add app role assignment to service principal"
  )
| extend InitiatingUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend TargetResourceId = tostring(TargetResources[0].id)
| extend TargetType = tostring(TargetResources[0].type)
| extend ModifiedProperties = TargetResources[0].modifiedProperties
| extend CredentialType = iif(
    OperationName has "Certificates", "Certificate/Secret",
    iif(OperationName has "credentials", "ServicePrincipalCredential", "Other")
  )
| project
    TimeGenerated,
    OperationName,
    Result,
    InitiatingUPN,
    InitiatingApp,
    InitiatingIPAddress,
    TargetResource,
    TargetResourceId,
    TargetType,
    CredentialType,
    Source = "EntraID_AuditLogs",
    CorrelationId;
// --- Azure: App Password (Legacy MFA Bypass) Additions ---
let AppPasswordAdditions = AuditLogs
| where TimeGenerated > ago(LookbackPeriod)
| where OperationName in (
    "Create application password for user",
    "Delete application password for user",
    "Update application password for user"
  )
| extend InitiatingUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend TargetResourceId = tostring(TargetResources[0].id)
| extend TargetType = tostring(TargetResources[0].type)
| project
    TimeGenerated,
    OperationName,
    Result,
    InitiatingUPN,
    InitiatingApp = "",
    InitiatingIPAddress,
    TargetResource,
    TargetResourceId,
    TargetType,
    CredentialType = "AppPassword",
    Source = "EntraID_AppPassword",
    CorrelationId;
// --- Union all results ---
union EntraCredentialAdditions, AppPasswordAdditions
| where Result == "success" or Result == ""
// Flag high-risk patterns
| extend IsServiceAccount = InitiatingUPN has_any ("svc-", "service", "automation", "pipeline", "deploy")
| extend IsSelfModification = TargetResource =~ InitiatingUPN
| extend IsHighPrivTarget = TargetType in~ ("ServicePrincipal", "Application")
// Enrich with sign-in context if available
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Cloud Service: Cloud Service Modification User Account: User Account Modification Azure Active Directory Audit Logs Microsoft Entra ID Audit Logs

Required Tables

AuditLogs

False Positives

Legitimate DevOps automation rotating service principal credentials on a schedule (CI/CD pipelines, Terraform, Ansible)
Application registrations during normal software development lifecycle where developers add test credentials
Break-glass/emergency account setup by authorized IT administrators during incident response
Managed Identity and service connection setup during Azure DevOps pipeline configuration by authorized teams
App password creation by end users for legacy applications (e.g., Office clients without MFA support) when permitted by policy

Splunk

spl

index=azure_audit OR index=o365 sourcetype="azure:aad:audit"
(
  OperationName="Add service principal credentials"
  OR OperationName="Update application – Certificates and secrets management"
  OR OperationName="Add application"
  OR OperationName="Update service principal"
  OR OperationName="Add owner to application"
  OR OperationName="Add app role assignment to service principal"
  OR OperationName="Create application password for user"
  OR OperationName="Update application password for user"
)
| spath input=InitiatedBy path=user.userPrincipalName output=InitiatingUPN
| spath input=InitiatedBy path=user.ipAddress output=InitiatingIPAddress
| spath input=InitiatedBy path=app.displayName output=InitiatingApp
| spath input=TargetResources{}.displayName output=TargetResource
| spath input=TargetResources{}.type output=TargetType
| eval Result=coalesce(Result, "unknown")
| eval CredentialType=case(
    match(OperationName, "(?i)certificate|secret"), "Certificate_or_Secret",
    match(OperationName, "(?i)password"), "AppPassword",
    match(OperationName, "(?i)credentials"), "ServicePrincipalCredential",
    true(), "Other"
  )
| eval IsHighRisk=case(
    OperationName="Create application password for user", "True_MFA_Bypass_Risk",
    OperationName="Add service principal credentials", "True_SP_Credential_Add",
    OperationName="Add owner to application", "True_Ownership_Change",
    true(), "False"
  )
| eval IsSelfModification=if(InitiatingUPN=TargetResource, "Yes", "No")
| eval IsServiceAccount=if(match(InitiatingUPN, "(?i)(svc-|service|automation|pipeline|deploy|robot|bot)"), "Yes", "No")
| where Result="success" OR Result="unknown"
| table _time, OperationName, Result, InitiatingUPN, InitiatingApp, InitiatingIPAddress, TargetResource, TargetType, CredentialType, IsHighRisk, IsSelfModification, IsServiceAccount, CorrelationId
| sort - _time

high severity high confidence

Data Sources

Cloud Service: Cloud Service Modification User Account: User Account Modification Azure AD Audit Logs

Required Sourcetypes

azure:aad:audit

False Positives

Legitimate DevOps automation rotating service principal credentials on a schedule (CI/CD pipelines, Terraform, Ansible)
Application registrations during normal software development lifecycle where developers add test credentials
Break-glass/emergency account setup by authorized IT administrators during incident response
Managed Identity and service connection setup during Azure DevOps pipeline configuration by authorized teams
App password creation by end users for legacy applications (e.g., Office clients without MFA support) when permitted by policy

Elastic Security (EQL)

eql

any where event.dataset == "azure.auditlogs"
  and azure.auditlogs.operation_name in~ (
    "Add service principal credentials",
    "Update application – Certificates and secrets management",
    "Add application",
    "Update service principal",
    "Add owner to application",
    "Add app role assignment to service principal",
    "Create application password for user",
    "Update application password for user",
    "Delete application password for user"
  )
  and (
    azure.auditlogs.properties.result == "success"
    or azure.auditlogs.properties.result == null
    or azure.auditlogs.properties.result == ""
  )
  and (
    azure.auditlogs.properties.initiated_by.user.user_principal_name != null
    or azure.auditlogs.properties.initiated_by.app.display_name != null
  )
| eval
    initiating_upn = azure.auditlogs.properties.initiated_by.user.user_principal_name,
    initiating_app = azure.auditlogs.properties.initiated_by.app.display_name,
    initiating_ip  = azure.auditlogs.properties.initiated_by.user.ip_address,
    target_resource = azure.auditlogs.properties.target_resources.0.display_name,
    target_type     = azure.auditlogs.properties.target_resources.0.type,
    correlation_id  = azure.auditlogs.properties.correlation_id,
    credential_type = case(
      azure.auditlogs.operation_name like~ "*certificate*" or azure.auditlogs.operation_name like~ "*secret*", "Certificate_or_Secret",
      azure.auditlogs.operation_name like~ "*password*", "AppPassword",
      azure.auditlogs.operation_name like~ "*credentials*", "ServicePrincipalCredential",
      "Other"
    ),
    is_high_risk = case(
      azure.auditlogs.operation_name == "Create application password for user", "MFA_Bypass_Risk",
      azure.auditlogs.operation_name == "Add service principal credentials", "SP_Credential_Add",
      azure.auditlogs.operation_name == "Add owner to application", "Ownership_Change",
      "Low"
    ),
    is_service_account = case(
      azure.auditlogs.properties.initiated_by.user.user_principal_name like~ "*svc-*"
      or azure.auditlogs.properties.initiated_by.user.user_principal_name like~ "*automation*"
      or azure.auditlogs.properties.initiated_by.user.user_principal_name like~ "*pipeline*"
      or azure.auditlogs.properties.initiated_by.user.user_principal_name like~ "*deploy*"
      or azure.auditlogs.properties.initiated_by.user.user_principal_name like~ "*robot*", "Yes",
      "No"
    )

high severity high confidence

Data Sources

Azure Active Directory Audit Logs (via Elastic Azure integration) Microsoft Entra ID Audit Logs

Required Tables

logs-azure.auditlogs-*

False Positives

Legitimate CI/CD pipelines (Terraform, GitHub Actions, Azure DevOps) that automatically create or rotate service principal credentials as part of infrastructure provisioning workflows
IT administrators performing scheduled credential rotation or certificate lifecycle management via the Azure portal or scripted tooling
Azure Managed Identity automation and service provisioning that registers new applications or assigns credentials during infrastructure deployments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  QIDNAME(qid)                                  AS OperationName,
  username                                       AS InitiatingUPN,
  sourceip                                       AS InitiatingIPAddress,
  "TargetObjectName"                             AS TargetResource,
  "TargetObjectType"                             AS TargetType,
  "Result"                                       AS Result,
  LOGSOURCENAME(logsourceid)                     AS LogSource,
  CATEGORYNAME(highlevelcategory)                AS HighLevelCategory,
  magnitude,
  CASE
    WHEN LOWER(QIDNAME(qid)) LIKE '%certificate%' OR LOWER(QIDNAME(qid)) LIKE '%secret%' THEN 'Certificate_or_Secret'
    WHEN LOWER(QIDNAME(qid)) LIKE '%password%'    THEN 'AppPassword'
    WHEN LOWER(QIDNAME(qid)) LIKE '%credentials%' THEN 'ServicePrincipalCredential'
    ELSE 'Other'
  END AS CredentialType,
  CASE
    WHEN QIDNAME(qid) = 'Create application password for user' THEN 'MFA_Bypass_Risk'
    WHEN QIDNAME(qid) = 'Add service principal credentials'    THEN 'SP_Credential_Add'
    WHEN QIDNAME(qid) = 'Add owner to application'            THEN 'Ownership_Change'
    ELSE 'Low'
  END AS IsHighRisk
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    430,   -- Microsoft Azure Active Directory (verify ID in your deployment)
    520,   -- Microsoft Office 365 (verify ID in your deployment)
    540    -- Microsoft Azure Monitor (verify ID in your deployment)
  )
  AND (
    LOWER(QIDNAME(qid)) LIKE '%service principal credentials%'
    OR LOWER(QIDNAME(qid)) LIKE '%certificates and secrets%'
    OR LOWER(QIDNAME(qid)) LIKE '%application password%'
    OR LOWER(QIDNAME(qid)) LIKE '%app role assignment%'
    OR LOWER(QIDNAME(qid)) LIKE '%owner to application%'
    OR LOWER(QIDNAME(qid)) LIKE '%update service principal%'
    OR LOWER(QIDNAME(qid)) LIKE '%add application%'
  )
  AND (
    "Result" = 'success'
    OR "Result" IS NULL
    OR "Result" = ''
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Microsoft Azure Active Directory DSM Microsoft Office 365 DSM Microsoft Azure Monitor DSM

Required Tables

events

False Positives

Automated infrastructure-as-code tooling (Terraform, Pulumi, Ansible) that provisions Azure resources and creates service principal credentials as part of normal deployment pipelines
Scheduled credential rotation jobs run by platform engineering teams that reset service principal certificates or secrets on a defined cadence
Vendor-managed SaaS applications that auto-rotate their own Azure AD application credentials and trigger audit events on their scheduled rotation cycles

Sumo Logic CSE

sql

_sourceCategory="Azure/AuditLogs" OR _sourceCategory="azure/aad/audit" OR _sourceCategory="Azure/ActiveDirectory/Audit"
| json "operationName" as OperationName nodrop
| json "properties.result" as Result nodrop
| json "properties.initiatedBy.user.userPrincipalName" as InitiatingUPN nodrop
| json "properties.initiatedBy.user.ipAddress" as InitiatingIPAddress nodrop
| json "properties.initiatedBy.app.displayName" as InitiatingApp nodrop
| json "properties.targetResources[0].displayName" as TargetResource nodrop
| json "properties.targetResources[0].type" as TargetType nodrop
| json "properties.correlationId" as CorrelationId nodrop
| where OperationName in (
    "Add service principal credentials",
    "Update application \u2013 Certificates and secrets management",
    "Add application",
    "Update service principal",
    "Add owner to application",
    "Add app role assignment to service principal",
    "Create application password for user",
    "Update application password for user",
    "Delete application password for user"
  )
| where Result = "success" or isNull(Result) or Result = ""
| if (OperationName matches "(?i)certificate|secret", "Certificate_or_Secret",
    if (OperationName matches "(?i)password", "AppPassword",
      if (OperationName matches "(?i)credentials", "ServicePrincipalCredential", "Other"))) as CredentialType
| if (OperationName = "Create application password for user", "MFA_Bypass_Risk",
    if (OperationName = "Add service principal credentials", "SP_Credential_Add",
      if (OperationName = "Add owner to application", "Ownership_Change", "Low"))) as IsHighRisk
| if (matches(InitiatingUPN, "(?i)(svc[-_]|service|automation|pipeline|deploy|robot|bot)"), "Yes", "No") as IsServiceAccount
| if (InitiatingUPN = TargetResource, "Yes", "No") as IsSelfModification
| fields _messageTime, OperationName, Result, InitiatingUPN, InitiatingApp, InitiatingIPAddress, TargetResource, TargetType, CredentialType, IsHighRisk, IsServiceAccount, IsSelfModification, CorrelationId
| sort by _messageTime desc

high severity high confidence

Data Sources

Azure Monitor Diagnostic Logs (Azure Active Directory Audit Logs) Microsoft Entra ID Audit Logs via Sumo Logic Azure collection

Required Tables

Azure/AuditLogs source category (environment-specific)

False Positives

Automated DevOps pipelines that programmatically create or rotate Azure AD service principal credentials during application deployments or environment bootstrapping
IT helpdesk staff adding app passwords to user accounts at the user's request for legacy applications that do not support modern authentication
Security tooling or CASB products that register Azure AD applications with certificates as part of their tenant onboarding or token acquisition workflows

Google Chronicle / SecOps

yaral

rule T1098_001_Additional_Cloud_Credentials {
  meta:
    author          = "Detection Engineering"
    description     = "Detects addition of credentials to Azure/Entra ID service principals and applications (T1098.001). Covers service principal credential additions, certificate and secret management, app password creation for MFA bypass, and ownership changes."
    mitre_attack_tactic    = "Persistence"
    mitre_attack_technique = "T1098.001"
    severity        = "HIGH"
    confidence      = "HIGH"
    version         = "1.0"
    created         = "2026-04-13"

  events:
    $e.metadata.log_type = "AZURE_AD"
    $e.metadata.product_event_type in (
      "Add service principal credentials",
      "Update application \u2013 Certificates and secrets management",
      "Add application",
      "Update service principal",
      "Add owner to application",
      "Add app role assignment to service principal",
      "Create application password for user",
      "Update application password for user",
      "Delete application password for user"
    )
    // Include both explicit ALLOW and events with no block action (missing result = likely success)
    not $e.security_result.action = "BLOCK"
    $e.principal.user.email_addresses = $initiating_upn

  match:
    $initiating_upn over 1h

  outcome:
    $event_count              = count_distinct($e.metadata.id)
    $operations               = array_distinct($e.metadata.product_event_type)
    $target_resources         = array_distinct($e.target.resource.name)
    $source_ips               = array_distinct($e.principal.ip)
    $is_mfa_bypass_risk       = max(if($e.metadata.product_event_type = "Create application password for user", 1, 0))
    $is_sp_credential_add     = max(if($e.metadata.product_event_type = "Add service principal credentials", 1, 0))
    $is_ownership_change      = max(if($e.metadata.product_event_type = "Add owner to application", 1, 0))

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle Azure Active Directory log feed Microsoft Entra ID Audit Logs ingested into Chronicle UDM

Required Tables

AZURE_AD (Chronicle UDM log type)

False Positives

Legitimate infrastructure automation accounts (Terraform service principals, Azure DevOps managed identities) that regularly add credentials to registered applications as part of provisioning workflows
IT administrators performing bulk credential rotation across multiple service principals during a planned maintenance window, which may generate multiple events from a single identity
Third-party SaaS vendor onboarding processes that require granting their application ownership or assigning credentials to an enterprise application in the tenant

CrowdStrike LogScale (CQL)

cql

// T1098.001 - Additional Cloud Credentials - Azure/Entra ID
// Requires Azure Active Directory audit logs ingested into LogScale
// Adjust #vendor and #product tags to match your ingestion configuration
#vendor="Microsoft" #product="AzureActiveDirectory" #type="AuditLog"
| OperationName in values=[
    "Add service principal credentials",
    "Update application \u2013 Certificates and secrets management",
    "Add application",
    "Update service principal",
    "Add owner to application",
    "Add app role assignment to service principal",
    "Create application password for user",
    "Update application password for user",
    "Delete application password for user"
  ]
| in(field=Result, values=["success", ""])
| InitiatingUPN       := properties.initiatedBy.user.userPrincipalName
| InitiatingIPAddress := properties.initiatedBy.user.ipAddress
| InitiatingApp       := properties.initiatedBy.app.displayName
| TargetResource      := properties.targetResources[0].displayName
| TargetType          := properties.targetResources[0].type
| CorrelationId       := properties.correlationId
| CredentialType := case {
    OperationName = /(?i)certificate|secret/   => "Certificate_or_Secret" ;
    OperationName = /(?i)password/             => "AppPassword" ;
    OperationName = /(?i)credentials/          => "ServicePrincipalCredential" ;
    *                                          => "Other"
  }
| IsHighRisk := case {
    OperationName = "Create application password for user" => "MFA_Bypass_Risk" ;
    OperationName = "Add service principal credentials"    => "SP_Credential_Add" ;
    OperationName = "Add owner to application"             => "Ownership_Change" ;
    *                                                      => "Low"
  }
| IsServiceAccount := case {
    InitiatingUPN = /(?i)(svc[-_]|service|automation|pipeline|deploy|robot|bot)/ => "Yes" ;
    *                                                                              => "No"
  }
| IsSelfModification := if(InitiatingUPN = TargetResource, "Yes", "No")
| table([@timestamp, OperationName, Result, InitiatingUPN, InitiatingApp, InitiatingIPAddress, TargetResource, TargetType, CredentialType, IsHighRisk, IsServiceAccount, IsSelfModification, CorrelationId])
| sort(field=@timestamp, order=desc, limit=1000)

high severity medium confidence

Data Sources

Microsoft Azure Active Directory Audit Logs ingested into CrowdStrike LogScale Azure Monitor Diagnostic Logs forwarded to LogScale via Event Hub or custom shipper

Required Tables

LogScale repository with Azure AD audit log ingestion (tag-based filtering)

False Positives

Automated credential rotation pipelines for service principals used by CI/CD systems (Azure DevOps, GitHub Actions) that reset credentials on a defined schedule and generate audit events under service account UPNs
Platform engineering workflows that use Terraform or Pulumi to manage Azure AD applications, where plan-apply cycles create or update application credentials during infrastructure changes
Enterprise application gallery integrations where Microsoft or third-party vendors automatically configure service principal credentials during initial SSO provisioning in the tenant

Last updated: 2026-04-13 Research depth: deep

References (18)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1098.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.002Additional Email Delegate Permissions T1098.003Additional Cloud Roles T1098.004SSH Authorized Keys T1098.005Device Registration T1098.006Additional Container Cluster Roles T1098.007Additional Local or Domain Groups

Additional Cloud Credentials

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections