Added Credentials to Existing Application

Jul 18, 2025 · attack.t1098.001 attack.persistence ·

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Sigma rule (View on GitHub)

 1title: Added Credentials to Existing Application
 2id: cbb67ecc-fb70-4467-9350-c910bdf7c628
 3status: test
 4description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
 7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 8date: 2022-05-26
 9modified: 2025-07-18
10tags:
11    - attack.t1098.001
12    - attack.persistence
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        properties.message:
19            - Update application – Certificates and secrets management
20            - Update Service principal/Update Application
21    condition: selection
22falsepositives:
23    - When credentials are added/removed as part of the normal working hours/workflows
24level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Added Credentials to Existing Application

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules