Query Details
HUNT 10 SP Credential Rotation Anomaly
Query
// Hunt : Hunt - Service Principal Credential Rotation Anomaly (3+ Additions per Hour, 30 Days)
// Tactics : Persistence,CredentialAccess
// MITRE : T1098.001
// Purpose : Detects when 3+ SP credentials are added within a single hour by the same initiator. Attackers adding credentials to multiple SPs as part of a persistence sweep, or conducting credential stuffing against SP objects. Cross-reference with Rule-08 (SP Cred + Privileged Role).
//==========================================================================================
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has_any ("Add service principal credentials", "Update application – Certificates and secrets management")
| where Result =~ "success"
| extend SPName = tostring(TargetResources[0].displayName)
| extend SPId = tostring(TargetResources[0].id)
| extend Initiator = coalesce(tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| summarize
CredAddCount = count(),
AffectedSPs = make_set(SPName, 10),
SPIds = make_set(SPId, 10),
Initiators = make_set(Initiator, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Initiator, bin(TimeGenerated, 1h)
| where CredAddCount >= 3
| order by CredAddCount descExplanation
This query is designed to detect unusual activity related to the addition of credentials to service principals (SPs) in a cloud environment. Here's a simple breakdown of what the query does:
-
Data Source: It looks at audit logs from the past 30 days.
-
Activity Filter: It focuses on logs where the operation involved adding or updating service principal credentials and was successful.
-
Data Extraction: For each log entry, it extracts:
- The name and ID of the service principal affected.
- The user or application that initiated the action.
-
Aggregation: It groups the data by the initiator and by each hour, counting how many credential additions occurred, and lists the affected service principals and their IDs.
-
Anomaly Detection: It filters for cases where the same initiator added credentials to three or more service principals within a single hour.
-
Output: The results are sorted by the number of credential additions, highlighting potential security threats where an attacker might be adding credentials to multiple service principals as part of a persistence or credential stuffing attack.
This query helps identify suspicious patterns that could indicate unauthorized access or persistence attempts in the system.
Details
David Alonso
Released: March 12, 2026
Tables
Keywords
Operators