KQL Search

Query Details

HomeAI ToolsDevice Query

HQ 002 New App Immediate Credential Add

Query

// =========================================================================
// HQ-002: New Application Registration with Immediate Credential Addition
// =========================================================================
// Description : Joins app creation events with credential-add events within
//               a 5-minute window. Legitimate DevOps pipelines register apps
//               and add secrets, but so do ROADtools and MicroBurst when
//               setting up OAuth infrastructure for token abuse or persistence.
//               Review the actor and app display name for anomalies.
// MITRE ATT&CK: TA0003 Persistence
//               T1098.001 – Additional Cloud Credentials
// Tools       : ROADtools, MicroBurst, AADInternals, CloudKatana
// Severity    : Medium-High
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================

let Lookback       = 1d;
let CredWindow     = 5m;

let AppCreations = AuditLogs
| where TimeGenerated > ago(Lookback)
| where ActivityDisplayName in (
    "Add application",
    "Create application \u2013 Certificates and secrets management ")
| extend AppObjectId   = tostring(TargetResources[0].id)
| extend AppName       = tostring(TargetResources[0].displayName)
| extend CreatorUPN    = tostring(InitiatedBy.user.userPrincipalName)
| extend CreatorApp    = tostring(InitiatedBy.app.displayName)
| extend CreatorActor  = iff(isnotempty(CreatorUPN), CreatorUPN, CreatorApp)
| project CreatedAt = TimeGenerated, AppObjectId, AppName, CreatorActor, CreatorUPN, CreatorApp, CorrelationId;

let CredAdds = AuditLogs
| where TimeGenerated > ago(Lookback)
| where ActivityDisplayName in (
    "Update application \u2013 Certificates and secrets management ",
    "Create application \u2013 Certificates and secrets management ",
    "Add service principal credentials",
    "Update service principal")
| mv-expand Prop = TargetResources[0].modifiedProperties
| where tostring(Prop.displayName) has_any ("KeyCredentials","PasswordCredentials","Credential","Secret","Certificate")
| extend AppObjectId    = tostring(TargetResources[0].id)
| extend AppName        = tostring(TargetResources[0].displayName)
| extend CredActorUPN   = tostring(InitiatedBy.user.userPrincipalName)
| extend CredActorApp   = tostring(InitiatedBy.app.displayName)
| extend CredActor      = iff(isnotempty(CredActorUPN), CredActorUPN, CredActorApp)
| extend CredType       = tostring(Prop.displayName)
| project CredAddedAt = TimeGenerated, AppObjectId, AppName, CredActor, CredActorUPN, CredType;

AppCreations
| join kind=inner CredAdds on AppObjectId
| where CredAddedAt > CreatedAt
| where CredAddedAt <= CreatedAt + CredWindow
| extend MinutesBetween = datetime_diff('minute', CredAddedAt, CreatedAt)
| project
    AppName,
    AppObjectId,
    CreatedAt,
    CredAddedAt,
    MinutesBetween,
    CreatorActor,
    CredActor,
    CredType
| order by CreatedAt desc

Explanation

This query is designed to identify and analyze events where a new application is registered and credentials are added to it within a short time frame, specifically within five minutes. Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at events from the past day (Lookback = 1d).

  2. App Creation Events: It filters logs to find events where applications were created. For each event, it extracts details like the application's ID, name, the creator's user principal name (UPN), and the application used to create it.

  3. Credential Addition Events: It filters logs to find events where credentials (like keys, passwords, or certificates) were added to applications. It extracts similar details as above, including the type of credential added.

  4. Joining Events: It joins the app creation events with the credential addition events based on the application ID. It ensures that the credential addition happened after the app was created and within a five-minute window.

  5. Output: The query outputs a list of applications with details such as the application name, ID, the time of creation, the time credentials were added, the time difference in minutes, and the actors involved in both actions.

  6. Purpose: This helps identify potentially suspicious activities where applications and credentials are quickly set up, which could indicate automated processes or malicious activities using tools like ROADtools or MicroBurst. The results can be reviewed for anomalies in the actors or application names to detect unauthorized or suspicious behavior.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureActiveDirectoryApplicationCredentialsSecretsCertificatesServicePrincipalUserAppDisplayNameTimeGeneratedTargetResourcesInitiatedByCorrelationIdModifiedPropertiesKeyCredentialsPasswordCredentialsCredentialSecretCertificate

Operators

letwhereagointostringextendiffisnotemptyprojectmv-expandhas_anyjoinkindondatetime_difforder bydesc

Actions