detecting-azure-service-principal-abuse
在 Microsoft Entra ID 环境中检测和调查 Azure 服务主体滥用,包括权限提升、凭据入侵、管理员同意绕过和未授权枚举。
Best use case
detecting-azure-service-principal-abuse is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
在 Microsoft Entra ID 环境中检测和调查 Azure 服务主体滥用,包括权限提升、凭据入侵、管理员同意绕过和未授权枚举。
Teams using detecting-azure-service-principal-abuse should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-azure-service-principal-abuse/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-azure-service-principal-abuse Compares
| Feature / Agent | detecting-azure-service-principal-abuse | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
在 Microsoft Entra ID 环境中检测和调查 Azure 服务主体滥用,包括权限提升、凭据入侵、管理员同意绕过和未授权枚举。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 检测 Azure 服务主体滥用
## 概述
Azure 服务主体是应用程序、服务和自动化工具用于访问 Azure 资源的身份对象。攻击者利用服务主体进行权限提升、横向移动和持久访问。关键滥用模式包括:向现有主体添加凭据、分配特权角色、绕过管理员同意以及枚举服务主体以寻找攻击路径。应用程序所有权授予管理凭据和配置权限的能力,从而产生隐藏的权限提升路径。
## 前置条件
- 具有 Microsoft Entra ID P2 许可证的 Azure 订阅
- 访问 Azure AD 审计日志和登录日志的权限
- 用于基于 SIEM 检测的 Microsoft Sentinel 或 Splunk
- 用于调查的 Microsoft Graph API 权限
- 至少具有全局读取者或安全读取者角色
## 关键滥用模式
### 1. 向服务主体添加新凭据
攻击者添加新的客户端密钥或证书以获得持久访问:
**检测查询(KQL - Sentinel):**
```kql
AuditLogs
| where OperationName has "Add service principal credentials"
or OperationName has "Update application - Certificates and secrets management"
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend TargetSPId = tostring(TargetResources[0].id)
| project TimeGenerated, InitiatedBy, OperationName, TargetSP, TargetSPId
| sort by TimeGenerated desc
```
**检测查询(SPL - Splunk):**
```spl
index=azure sourcetype="azure:aad:audit"
operationName="Add service principal credentials"
OR operationName="Update application*Certificates and secrets*"
| stats count by initiatedBy.user.userPrincipalName, targetResources{}.displayName, _time
| sort -_time
```
### 2. 向服务主体分配特权角色
```kql
AuditLogs
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where RoleName has_any ("Global Administrator", "Application Administrator",
"Privileged Role Administrator", "Cloud Application Administrator")
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, TargetSP, RoleName, OperationName
```
### 3. 服务主体枚举检测
```kql
MicrosoftGraphActivityLogs
| where RequestMethod == "GET"
| where RequestUri has "/servicePrincipals"
| summarize RequestCount = count() by UserAgent, IPAddress, bin(TimeGenerated, 1h)
| where RequestCount > 10
| sort by RequestCount desc
```
### 4. 管理员同意绕过
```kql
AuditLogs
| where OperationName == "Consent to application"
| extend ConsentType = tostring(TargetResources[0].modifiedProperties[4].newValue)
| where ConsentType has "AllPrincipals"
| extend AppName = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, AppName, ConsentType
```
### 5. OAuth 应用权限提升
```kql
AuditLogs
| where OperationName == "Add app role assignment to service principal"
| extend AppRoleValue = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where AppRoleValue has_any ("RoleManagement.ReadWrite.Directory",
"Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All",
"Directory.ReadWrite.All", "Mail.ReadWrite")
| extend TargetApp = tostring(TargetResources[0].displayName)
| project TimeGenerated, TargetApp, AppRoleValue, CorrelationId
```
## 调查程序
### 步骤 1:识别受损的服务主体
```powershell
# 列出最近添加了凭据的服务主体
Connect-MgGraph -Scopes "Application.Read.All"
$suspiciousSPs = Get-MgServicePrincipal -All | ForEach-Object {
$sp = $_
$creds = Get-MgServicePrincipalPasswordCredential -ServicePrincipalId $sp.Id
$recentCreds = $creds | Where-Object { $_.StartDateTime -gt (Get-Date).AddDays(-7) }
if ($recentCreds) {
[PSCustomObject]@{
DisplayName = $sp.DisplayName
AppId = $sp.AppId
ObjectId = $sp.Id
NewCredsCount = $recentCreds.Count
LatestCredAdded = ($recentCreds | Sort-Object StartDateTime -Descending | Select-Object -First 1).StartDateTime
}
}
}
$suspiciousSPs | Sort-Object LatestCredAdded -Descending
```
### 步骤 2:查看服务主体角色分配
```powershell
# 检查特定服务主体的角色分配
$spId = "<service-principal-object-id>"
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spId | ForEach-Object {
$resource = Get-MgServicePrincipal -ServicePrincipalId $_.ResourceId
[PSCustomObject]@{
AppRoleId = $_.AppRoleId
ResourceDisplayName = $resource.DisplayName
CreatedDateTime = $_.CreatedDateTime
}
}
```
### 步骤 3:检查应用程序所有权
```powershell
# 列出所有应用程序的所有者(所有权 = 凭据控制权)
Get-MgApplication -All | ForEach-Object {
$app = $_
$owners = Get-MgApplicationOwner -ApplicationId $app.Id
foreach ($owner in $owners) {
[PSCustomObject]@{
AppName = $app.DisplayName
AppId = $app.AppId
OwnerUPN = $owner.AdditionalProperties.userPrincipalName
OwnerType = $owner.AdditionalProperties.'@odata.type'
}
}
} | Where-Object { $_.OwnerUPN -ne $null }
```
### 步骤 4:查看登录活动
```kql
AADServicePrincipalSignInLogs
| where ServicePrincipalId == "<target-sp-id>"
| project TimeGenerated, ServicePrincipalName, IPAddress, Location,
ResourceDisplayName, Status.errorCode
| sort by TimeGenerated desc
```
## 预防控制
### 限制应用程序注册
```powershell
# 禁用用户注册应用程序的能力
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
AllowedToCreateApps = $false
}
```
### 配置应用同意策略
```powershell
# 要求对所有应用同意请求进行管理员审批
New-MgPolicyPermissionGrantPolicy -Id "admin-only-consent" `
-DisplayName "Admin Only Consent" `
-Description "Only admins can consent to applications"
```
### 使用 Microsoft Sentinel 分析规则进行监控
创建以下分析规则:
- 新服务主体凭据添加
- 向服务主体分配特权角色
- 批量服务主体枚举
- 向未知应用程序授予管理员同意
- 来自异常位置的服务主体登录
## MITRE ATT&CK 映射
| 技术 | ID | 描述 |
|------|----|------|
| 账户操控:附加云凭据(Account Manipulation: Additional Cloud Credentials) | T1098.001 | 向服务主体添加凭据 |
| 有效账户:云账户(Valid Accounts: Cloud Accounts) | T1078.004 | 使用受损的服务主体 |
| 账户发现:云账户(Account Discovery: Cloud Account) | T1087.004 | 枚举服务主体 |
| 窃取应用程序访问令牌(Steal Application Access Token) | T1528 | 通过服务主体窃取 OAuth 令牌 |
## 参考资料
- Splunk Detection: Azure AD Service Principal Abuse
- Semperis: Service Principal Ownership Abuse in Entra ID
- MITRE ATT&CK Cloud Matrix
- Microsoft: Securing service principals in Entra IDRelated Skills
performing-soap-web-service-security-testing
通过分析 WSDL 定义,测试 XML 注入(XML Injection)、XXE、WS-Security 绕过和 SOAPAction 欺骗,对 SOAP Web 服务执行安全测试。
performing-service-account-credential-rotation
跨 Active Directory、云平台和应用程序数据库自动化服务账户凭据轮换,消除陈旧密钥并降低泄露风险。
performing-service-account-audit
审计企业基础设施中的服务账户,识别孤立账户、过度特权账户和不合规账户。本技能涵盖在 Active Directory、云平台中发现服务账户,评估权限级别,识别缺失负责人,以及执行生命周期策略。
implementing-privileged-identity-management-with-azure
使用 Microsoft Graph API 配置 Azure AD 特权身份管理(PIM),管理符合条件的角色分配、即时激活、访问审查,以及用于零信任特权访问的角色管理策略。
implementing-mtls-for-zero-trust-services
使用 Python cryptography 库进行证书生成,使用 ssl 模块进行 TLS 验证, 配置微服务之间的双向 TLS(mTLS)身份验证。验证证书链、检查过期情况, 并审计 mTLS 部署状态。适用于实现零信任服务间身份验证的场景。
implementing-conditional-access-policies-azure-ad
为零信任访问控制配置 Microsoft Entra ID(Azure AD)条件访问策略,涵盖基于信号的策略设计、设备合规要求、基于风险的认证、命名位置、会话控制以及与 NIST SP 1800-35 零信任架构的集成。
implementing-azure-defender-for-cloud
实施 Microsoft Defender for Cloud,为虚拟机、容器、数据库和存储启用云安全态势管理和工作负载保护,配置安全建议,并通过自动修复设置自适应安全控制。
implementing-azure-ad-privileged-identity-management
配置 Microsoft Entra 特权身份管理(PIM)以强制执行即时角色激活(Just-in-Time)、审批工作流和 Azure AD 特权角色的访问审查。
implementing-api-abuse-detection-with-rate-limiting
使用令牌桶、滑动窗口和自适应速率限制算法实现API滥用检测,防止DDoS、暴力破解和凭据填充攻击。
hunting-for-unusual-service-installations
通过解析系统事件日志中的事件 ID 7045、分析服务二进制路径并识别持久化机制指标,检测可疑 Windows 服务安装(MITRE ATT&CK T1543.003)。
exploiting-constrained-delegation-abuse
利用活动目录中的 Kerberos 约束委派(Constrained Delegation)错误配置,通过 S4U2self 和 S4U2proxy 扩展模拟特权用户,实现横向移动和权限提升。
exploiting-active-directory-certificate-services-esc1
在授权红队评估中,利用活动目录证书服务(AD CS)的 ESC1 错误配置漏洞,以高权限用户身份申请证书并提升域权限。