HQ 004 Bulk Service Principal Creation

// ========================================================================= // HQ-004: Burst Service Principal Creations in 1-Hour Window // ========================================================================= // Description : Detects three or more service principals created by the // same actor within a one-hour bucket. MicroBurst, ROADtools // and CloudKatana register SPs in bulk when setting up attack // infrastructure. Legitimate admins rarely create more than // one or two SPs in rapid succession. // MITRE ATT&CK: TA0003 Persistence // T1136.003 – Create Cloud Account // Tools : ROADtools, MicroBurst, CloudKatana, AADInternals // Severity : Medium // Data Source : AuditLogs (Azure Active Directory) // ========================================================================= AuditLogs | where TimeGenerated > ago(1d) | where ActivityDisplayName == "Add service principal" | extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName) | extend InitiatedByApp = tostring(InitiatedBy.app.displayName) | extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp) | extend NewSPName = tostring(TargetResources[0].displayName) | extend NewSPId = tostring(TargetResources[0].id) | summarize SPCreatedCount = count(), SPNames = make_set(NewSPName, 20), SPIds = make_set(NewSPId, 20), FirstCreation = min(TimeGenerated), LastCreation = max(TimeGenerated) by Actor, bin(TimeGenerated, 1h) | where SPCreatedCount >= 3 | extend DurationMinutes = datetime_diff('minute', LastCreation, FirstCreation) | extend RatePerMinute = round(toreal(SPCreatedCount) / iff(DurationMinutes == 0, 1.0, toreal(DurationMinutes)), 2) | order by SPCreatedCount desc

Explanation

This query is designed to detect suspicious activity related to the creation of service principals in Azure Active Directory. Here's a simplified explanation:

Purpose: The query identifies instances where three or more service principals are created by the same user or application within a one-hour period. This behavior is unusual for legitimate administrators but common in certain attack scenarios.
Data Source: It uses the AuditLogs from Azure Active Directory to track these activities.
Process:
- It looks at logs from the past day (TimeGenerated > ago(1d)).
- Filters for activities labeled as "Add service principal".
- Determines who initiated the creation, whether a user or an application.
- Collects the names and IDs of the newly created service principals.
- Groups the data by the actor (user or app) and by each hour (bin(TimeGenerated, 1h)).
- Counts how many service principals each actor created in that hour.
- Filters to show only those actors who created three or more service principals in that time frame.
Additional Calculations:
- Calculates the duration between the first and last creation within the hour.
- Computes the rate of creation per minute.
Output: The results are ordered by the number of service principals created, highlighting potential security concerns where a high number of service principals are created rapidly by the same actor.

This query helps in identifying potential misuse or attack patterns involving bulk creation of service principals, which could indicate malicious activity.

Details

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedActivityDisplayNameInitiatedByUPNInitiatedByAppActorNewSPNameNewSPIdSPCreatedCountSPNamesSPIdsFirstCreationLastCreationDurationMinutesRatePerMinute

Operators

AuditLogswhere>ago==extendtostringiffisnotemptysummarizecountmake_setminmaxbybin>=datetime_diffroundtorealorder bydesc

KQL Search