Query Details
HQ 009 App Credential Persistence Add
Query
// =========================================================================
// HQ-009: Credential Added to Existing Application Registration
// =========================================================================
// Description : Adding a new secret or certificate to an already-registered
// application is a classic post-compromise persistence
// technique. Attackers (MicroBurst, AADInternals, manual)
// add credentials to high-value apps to maintain access even
// after password resets. Filter out changes made by known
// CI/CD service accounts.
// MITRE ATT&CK: TA0003 Persistence
// T1098.001 – Additional Cloud Credentials
// Tools : MicroBurst, AADInternals, manual attacker, BurpSuite + Graph
// Severity : High
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================
AuditLogs
| where TimeGenerated > ago(7d)
| where ActivityDisplayName in (
"Update application \u2013 Certificates and secrets management ",
"Create application \u2013 Certificates and secrets management ",
"Add service principal credentials",
"Update service principal")
| mv-expand Prop = TargetResources[0].modifiedProperties
| where tostring(Prop.displayName) has_any (
"KeyCredentials",
"PasswordCredentials",
"Credential",
"Secret",
"Certificate")
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetApp = tostring(TargetResources[0].displayName)
| extend TargetAppId = tostring(TargetResources[0].id)
| extend CredType = tostring(Prop.displayName)
| extend NewValue = tostring(Prop.newValue)
| extend OldValue = tostring(Prop.oldValue)
| where Result == "success"
// Optionally exclude known CI/CD automation accounts:
// | where Actor !in ("[email protected]", "terraform-sp")
| project
TimeGenerated,
Actor,
TargetApp,
TargetAppId,
CredType,
NewValue,
OldValue,
ActivityDisplayName,
LoggedByService,
CorrelationId
| order by TimeGenerated desc
Explanation
This query is designed to detect when new credentials (such as secrets or certificates) are added to existing application registrations in Azure Active Directory. This action is often used by attackers to maintain access to applications even after passwords are reset, which is a persistence technique. The query focuses on high-severity events and filters out changes made by known CI/CD service accounts to avoid false positives.
Here's a simplified breakdown of what the query does:
- Data Source: It uses the
AuditLogsfrom Azure Active Directory to track changes. - Time Frame: It looks at logs from the past 7 days.
- Activity Filter: It filters for specific activities related to managing certificates and secrets, adding service principal credentials, and updating service principals.
- Property Check: It checks if any of the modified properties are related to credentials, such as keys, passwords, secrets, or certificates.
- Actor Identification: It identifies who initiated the change, whether it's a user or an application.
- Target Application: It identifies the application that had its credentials modified.
- Credential Details: It captures the type of credential modified and the new and old values.
- Result Filter: It only considers successful changes.
- Optional Exclusion: It provides an option to exclude changes made by known automation accounts to reduce noise.
- Output: It projects relevant details like the time of the change, the actor, the target application, the type of credential, and the change details, and orders the results by the time of the event in descending order.
Details
David Alonso
Released: April 6, 2026
Tables
AuditLogs
Keywords
AuditLogsAzureActiveDirectoryApplicationRegistrationCredentialsSecretsCertificateServicePrincipal
Operators
AuditLogswhereinmv-expandtostringhas_anyextendiffisnotemptyprojectorder bydesc