Detectionhightest
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Mark Morowczynski, Bailey BercikCreated Thu May 26Updated Fri Jul 18cbb67ecc-fb70-4467-9350-c910bdf7c628cloud
Log Source
Azureauditlogs
ProductAzure← raw: azure
Serviceauditlogs← raw: auditlogs
Detection Logic
Detection Logic1 selector
detection:
selection:
properties.message:
- Update application – Certificates and secrets management
- Update Service principal/Update Application
condition: selectionFalse Positives
When credentials are added/removed as part of the normal working hours/workflows
References
MITRE ATT&CK
Rule Metadata
Rule ID
cbb67ecc-fb70-4467-9350-c910bdf7c628
Status
test
Level
high
Type
Detection
Created
Thu May 26
Modified
Fri Jul 18
Author
Path
rules/cloud/azure/audit_logs/azure_app_credential_added.yml
Raw Tags
attack.privilege-escalationattack.t1098.001attack.persistence