Added Credentials to Existing Application

Oct 17, 2023 · attack.t1098.001 attack.persistence ·

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Sigma rule (View on GitHub)

 1title: Added Credentials to Existing Application
 2id: cbb67ecc-fb70-4467-9350-c910bdf7c628
 3status: test
 4description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials
 7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 8date: 2022/05/26
 9tags:
10    - attack.t1098.001
11    - attack.persistence
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message:
18            - Update Application-Certificates and secrets management
19            - Update Service principal/Update Application
20    condition: selection
21falsepositives:
22    - When credentials are added/removed as part of the normal working hours/workflows
23level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Added Credentials to Existing Application

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules