Query Details

Critical Identities Privilege Escalation On Entra Service Principal

Query

// Critical Identities Privilege Escalation on Entra Service Principal
// https://www.linkedin.com/posts/0x534c_defenderxdr-customdetection-exposuremanagement-activity-7182618135659692032-HsE5/

//Custom DefenderXDR privilege escalation detection rule for critical identities marked by exposure management for adding Entra service principal credentials. It is vital for SecOps to monitor organization's critical identities for any potential privilege escalation in Entra service principals.

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountID = tostring(NodeProperties.rawData.accountObjectId)
| distinct AccountID;
CloudAppEvents
| where ActivityType == "Add"
| where ActionType == @"Add service principal credentials."
| where AccountId has_any(CriticalIdentities)


// MITRE ATT&CK Mapping

// The KQL query can be mapped to the following MITRE ATT&CK techniques:

// T1078.004 - Valid Accounts: Cloud Accounts:
// The query is looking for the addition of service principal credentials, which can be associated with the use of valid cloud accounts to gain unauthorized access.

// T1098 - Account Manipulation:
// Adding service principal credentials can be seen as a form of account manipulation, where adversaries modify accounts to maintain access.

// T1078 - Valid Accounts:
// The use of valid accounts, especially those with elevated privileges, is a common technique for maintaining persistence and accessing resources.

Explanation

This KQL query is designed to detect potential privilege escalation activities involving critical identities within an organization's Entra service principals. Here's a simplified breakdown of what the query does:

  1. Identify Critical Identities:

    • The query first identifies critical identities by examining nodes in the ExposureGraphNodes table.
    • It filters for nodes categorized as "identity" and checks if they have a criticality level below 4, indicating they are considered critical.
    • It extracts the account IDs of these critical identities.
  2. Monitor Cloud App Events:

    • The query then looks at the CloudAppEvents table for activities where service principal credentials are added.
    • It specifically checks for "Add" activities with the action type "Add service principal credentials."
    • It matches these activities against the list of critical account IDs identified earlier.
  3. Purpose:

    • The goal is to alert security operations (SecOps) teams about any potential privilege escalation involving critical identities, which could indicate unauthorized access or manipulation.
  4. MITRE ATT&CK Techniques:

    • The query is associated with several MITRE ATT&CK techniques:
      • T1078.004: Valid Accounts: Cloud Accounts - It detects the addition of service principal credentials, which might involve using valid cloud accounts for unauthorized access.
      • T1098: Account Manipulation - Adding credentials can be seen as manipulating accounts to maintain access.
      • T1078: Valid Accounts - Using valid accounts, especially with elevated privileges, is a common method for maintaining persistence and accessing resources.

In summary, this query helps in monitoring and detecting suspicious activities related to privilege escalation in critical identities, ensuring that security teams can respond promptly to potential threats.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodesCloudAppEvents

Keywords

CriticalIdentitiesExposureManagementEntraServicePrincipalCredentialsSecOpsCloudAppEventsAccountId

Operators

let|whereset_has_elementisnotnulland<extendtostringdistinct==@has_any

MITRE Techniques

Actions

GitHub