Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Sigma rule (View on GitHub)
1title: Added Credentials to Existing Application
2id: cbb67ecc-fb70-4467-9350-c910bdf7c628
3status: test
4description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials
7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
8date: 2022/05/26
9tags:
10 - attack.t1098.001
11 - attack.persistence
12logsource:
13 product: azure
14 service: auditlogs
15detection:
16 selection:
17 properties.message:
18 - Update Application-Certificates and secrets management
19 - Update Service principal/Update Application
20 condition: selection
21falsepositives:
22 - When credentials are added/removed as part of the normal working hours/workflows
23level: high
References
Related rules
- Okta Identity Provider Created
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Anydesk Remote Access Software Service Installation