Detect Additional Cloud Credentials in Microsoft Sentinel
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. This includes adding credentials to Azure/Entra ID Service Principals and Applications (x509 keys and passwords), generating or importing SSH keys in AWS/GCP, creating AWS IAM access keys or login profiles, and adding app passwords to Entra ID user accounts to bypass MFA. These techniques allow persistent access even if the original compromised credentials are rotated.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1098 Account Manipulation
- Sub-technique
- T1098.001 Additional Cloud Credentials
- Canonical reference
- https://attack.mitre.org/techniques/T1098/001/
KQL Detection Query
// T1098.001 - Additional Cloud Credentials Detection
// Covers Azure/Entra ID service principal credential additions, AWS key creation, and related activity
let LookbackPeriod = 24h;
// --- Entra ID / Azure: Service Principal / App Credential Additions ---
let EntraCredentialAdditions = AuditLogs
| where TimeGenerated > ago(LookbackPeriod)
| where OperationName in (
"Add service principal credentials",
"Update application – Certificates and secrets management",
"Add application",
"Update service principal",
"Add owner to application",
"Add app role assignment to service principal"
)
| extend InitiatingUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend TargetResourceId = tostring(TargetResources[0].id)
| extend TargetType = tostring(TargetResources[0].type)
| extend ModifiedProperties = TargetResources[0].modifiedProperties
| extend CredentialType = iif(
OperationName has "Certificates", "Certificate/Secret",
iif(OperationName has "credentials", "ServicePrincipalCredential", "Other")
)
| project
TimeGenerated,
OperationName,
Result,
InitiatingUPN,
InitiatingApp,
InitiatingIPAddress,
TargetResource,
TargetResourceId,
TargetType,
CredentialType,
Source = "EntraID_AuditLogs",
CorrelationId;
// --- Azure: App Password (Legacy MFA Bypass) Additions ---
let AppPasswordAdditions = AuditLogs
| where TimeGenerated > ago(LookbackPeriod)
| where OperationName in (
"Create application password for user",
"Delete application password for user",
"Update application password for user"
)
| extend InitiatingUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend TargetResourceId = tostring(TargetResources[0].id)
| extend TargetType = tostring(TargetResources[0].type)
| project
TimeGenerated,
OperationName,
Result,
InitiatingUPN,
InitiatingApp = "",
InitiatingIPAddress,
TargetResource,
TargetResourceId,
TargetType,
CredentialType = "AppPassword",
Source = "EntraID_AppPassword",
CorrelationId;
// --- Union all results ---
union EntraCredentialAdditions, AppPasswordAdditions
| where Result == "success" or Result == ""
// Flag high-risk patterns
| extend IsServiceAccount = InitiatingUPN has_any ("svc-", "service", "automation", "pipeline", "deploy")
| extend IsSelfModification = TargetResource =~ InitiatingUPN
| extend IsHighPrivTarget = TargetType in~ ("ServicePrincipal", "Application")
// Enrich with sign-in context if available
| sort by TimeGenerated descDetects additions of cloud credentials in Azure/Entra ID environments, covering: (1) Service Principal and Application credential additions (certificates, secrets, passwords), (2) App password creation for MFA bypass, and (3) high-risk ownership/role changes. Uses AuditLogs table from Microsoft Sentinel. Flags self-modification patterns, service account initiators, and credential types. For AWS and GCP, a separate CloudTrail/GCP Audit Log pipeline is recommended.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DevOps automation rotating service principal credentials on a schedule (CI/CD pipelines, Terraform, Ansible)
- Application registrations during normal software development lifecycle where developers add test credentials
- Break-glass/emergency account setup by authorized IT administrators during incident response
- Managed Identity and service connection setup during Azure DevOps pipeline configuration by authorized teams
- App password creation by end users for legacy applications (e.g., Office clients without MFA support) when permitted by policy
Other platforms for T1098.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Client Secret to Entra ID Application via Azure CLI
Expected signal: Entra ID Audit Logs: OperationName='Update application – Certificates and secrets management' or 'Add service principal credentials' with Result=success. InitiatedBy will show the authenticated CLI user. TargetResources will contain the application object ID and display name. ModifiedProperties will include the new credential's KeyId, StartDate, EndDate, and CustomKeyIdentifier.
- Test 2Create AWS IAM Access Key for Existing User via AWS CLI
Expected signal: AWS CloudTrail: EventName='CreateAccessKey' with requestParameters.userName=<TARGET_USERNAME>, responseElements.accessKey.accessKeyId=<NEW_KEY_ID>, responseElements.accessKey.status='Active'. UserIdentity section shows the requesting account. EventSource=iam.amazonaws.com.
- Test 3Add Certificate Credential to Entra ID Service Principal via PowerShell
Expected signal: Entra ID Audit Logs: OperationName='Add service principal credentials' with Result=success. ModifiedProperties will contain KeyCredentials with Type=AsymmetricX509Cert, Usage=Verify, and the certificate's StartDate/EndDate. PowerShell ScriptBlock Logging (Event ID 4104) will capture the New-AzADSpCredential command. Sysmon Event ID 1 will show powershell.exe execution.
- Test 4Create Entra ID App Password for MFA Bypass via Microsoft Graph API
Expected signal: Entra ID Audit Logs: OperationName='Create application password for user' with Result=success. InitiatedBy will show the authenticated Graph API caller. TargetResources will contain the target user's UPN and object ID. Microsoft Defender for Cloud Apps may also generate an alert for unusual MFA modification activity.
References (18)
- https://attack.mitre.org/techniques/T1098/001/
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
- https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
- https://expel.io/blog/finding-evil-in-aws/
- https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://sysdig.com/blog/scarleteel-2-0/
- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
- https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
- https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
- https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
- https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-app-passwords
- https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
- https://github.com/RhinoSecurityLabs/pacu
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
- https://learn.microsoft.com/en-us/graph/api/resources/auditlog-root
- https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadspredential
Unlock Pro Content
Get the full detection package for T1098.001 including response playbook, investigation guide, and atomic red team tests.