detecting-azure-service-principal-abuse

在 Microsoft Entra ID 环境中检测和调查 Azure 服务主体滥用,包括权限提升、凭据入侵、管理员同意绕过和未授权枚举。

9 stars

Best use case

detecting-azure-service-principal-abuse is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

在 Microsoft Entra ID 环境中检测和调查 Azure 服务主体滥用,包括权限提升、凭据入侵、管理员同意绕过和未授权枚举。

Teams using detecting-azure-service-principal-abuse should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/detecting-azure-service-principal-abuse/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/detecting-azure-service-principal-abuse/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/detecting-azure-service-principal-abuse/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How detecting-azure-service-principal-abuse Compares

Feature / Agentdetecting-azure-service-principal-abuseStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

在 Microsoft Entra ID 环境中检测和调查 Azure 服务主体滥用,包括权限提升、凭据入侵、管理员同意绕过和未授权枚举。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 检测 Azure 服务主体滥用

## 概述

Azure 服务主体是应用程序、服务和自动化工具用于访问 Azure 资源的身份对象。攻击者利用服务主体进行权限提升、横向移动和持久访问。关键滥用模式包括:向现有主体添加凭据、分配特权角色、绕过管理员同意以及枚举服务主体以寻找攻击路径。应用程序所有权授予管理凭据和配置权限的能力,从而产生隐藏的权限提升路径。

## 前置条件

- 具有 Microsoft Entra ID P2 许可证的 Azure 订阅
- 访问 Azure AD 审计日志和登录日志的权限
- 用于基于 SIEM 检测的 Microsoft Sentinel 或 Splunk
- 用于调查的 Microsoft Graph API 权限
- 至少具有全局读取者或安全读取者角色

## 关键滥用模式

### 1. 向服务主体添加新凭据

攻击者添加新的客户端密钥或证书以获得持久访问:

**检测查询(KQL - Sentinel):**
```kql
AuditLogs
| where OperationName has "Add service principal credentials"
    or OperationName has "Update application - Certificates and secrets management"
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend TargetSPId = tostring(TargetResources[0].id)
| project TimeGenerated, InitiatedBy, OperationName, TargetSP, TargetSPId
| sort by TimeGenerated desc
```

**检测查询(SPL - Splunk):**
```spl
index=azure sourcetype="azure:aad:audit"
operationName="Add service principal credentials"
    OR operationName="Update application*Certificates and secrets*"
| stats count by initiatedBy.user.userPrincipalName, targetResources{}.displayName, _time
| sort -_time
```

### 2. 向服务主体分配特权角色

```kql
AuditLogs
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where RoleName has_any ("Global Administrator", "Application Administrator",
    "Privileged Role Administrator", "Cloud Application Administrator")
| extend TargetSP = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, TargetSP, RoleName, OperationName
```

### 3. 服务主体枚举检测

```kql
MicrosoftGraphActivityLogs
| where RequestMethod == "GET"
| where RequestUri has "/servicePrincipals"
| summarize RequestCount = count() by UserAgent, IPAddress, bin(TimeGenerated, 1h)
| where RequestCount > 10
| sort by RequestCount desc
```

### 4. 管理员同意绕过

```kql
AuditLogs
| where OperationName == "Consent to application"
| extend ConsentType = tostring(TargetResources[0].modifiedProperties[4].newValue)
| where ConsentType has "AllPrincipals"
| extend AppName = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, InitiatedBy, AppName, ConsentType
```

### 5. OAuth 应用权限提升

```kql
AuditLogs
| where OperationName == "Add app role assignment to service principal"
| extend AppRoleValue = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where AppRoleValue has_any ("RoleManagement.ReadWrite.Directory",
    "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All",
    "Directory.ReadWrite.All", "Mail.ReadWrite")
| extend TargetApp = tostring(TargetResources[0].displayName)
| project TimeGenerated, TargetApp, AppRoleValue, CorrelationId
```

## 调查程序

### 步骤 1:识别受损的服务主体

```powershell
# 列出最近添加了凭据的服务主体
Connect-MgGraph -Scopes "Application.Read.All"

$suspiciousSPs = Get-MgServicePrincipal -All | ForEach-Object {
    $sp = $_
    $creds = Get-MgServicePrincipalPasswordCredential -ServicePrincipalId $sp.Id
    $recentCreds = $creds | Where-Object { $_.StartDateTime -gt (Get-Date).AddDays(-7) }
    if ($recentCreds) {
        [PSCustomObject]@{
            DisplayName = $sp.DisplayName
            AppId = $sp.AppId
            ObjectId = $sp.Id
            NewCredsCount = $recentCreds.Count
            LatestCredAdded = ($recentCreds | Sort-Object StartDateTime -Descending | Select-Object -First 1).StartDateTime
        }
    }
}
$suspiciousSPs | Sort-Object LatestCredAdded -Descending
```

### 步骤 2:查看服务主体角色分配

```powershell
# 检查特定服务主体的角色分配
$spId = "<service-principal-object-id>"
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $spId | ForEach-Object {
    $resource = Get-MgServicePrincipal -ServicePrincipalId $_.ResourceId
    [PSCustomObject]@{
        AppRoleId = $_.AppRoleId
        ResourceDisplayName = $resource.DisplayName
        CreatedDateTime = $_.CreatedDateTime
    }
}
```

### 步骤 3:检查应用程序所有权

```powershell
# 列出所有应用程序的所有者(所有权 = 凭据控制权)
Get-MgApplication -All | ForEach-Object {
    $app = $_
    $owners = Get-MgApplicationOwner -ApplicationId $app.Id
    foreach ($owner in $owners) {
        [PSCustomObject]@{
            AppName = $app.DisplayName
            AppId = $app.AppId
            OwnerUPN = $owner.AdditionalProperties.userPrincipalName
            OwnerType = $owner.AdditionalProperties.'@odata.type'
        }
    }
} | Where-Object { $_.OwnerUPN -ne $null }
```

### 步骤 4:查看登录活动

```kql
AADServicePrincipalSignInLogs
| where ServicePrincipalId == "<target-sp-id>"
| project TimeGenerated, ServicePrincipalName, IPAddress, Location,
    ResourceDisplayName, Status.errorCode
| sort by TimeGenerated desc
```

## 预防控制

### 限制应用程序注册

```powershell
# 禁用用户注册应用程序的能力
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
    AllowedToCreateApps = $false
}
```

### 配置应用同意策略

```powershell
# 要求对所有应用同意请求进行管理员审批
New-MgPolicyPermissionGrantPolicy -Id "admin-only-consent" `
    -DisplayName "Admin Only Consent" `
    -Description "Only admins can consent to applications"
```

### 使用 Microsoft Sentinel 分析规则进行监控

创建以下分析规则:
- 新服务主体凭据添加
- 向服务主体分配特权角色
- 批量服务主体枚举
- 向未知应用程序授予管理员同意
- 来自异常位置的服务主体登录

## MITRE ATT&CK 映射

| 技术 | ID | 描述 |
|------|----|------|
| 账户操控:附加云凭据(Account Manipulation: Additional Cloud Credentials) | T1098.001 | 向服务主体添加凭据 |
| 有效账户:云账户(Valid Accounts: Cloud Accounts) | T1078.004 | 使用受损的服务主体 |
| 账户发现:云账户(Account Discovery: Cloud Account) | T1087.004 | 枚举服务主体 |
| 窃取应用程序访问令牌(Steal Application Access Token) | T1528 | 通过服务主体窃取 OAuth 令牌 |

## 参考资料

- Splunk Detection: Azure AD Service Principal Abuse
- Semperis: Service Principal Ownership Abuse in Entra ID
- MITRE ATT&CK Cloud Matrix
- Microsoft: Securing service principals in Entra ID

Related Skills

performing-soap-web-service-security-testing

9
from killvxk/cybersecurity-skills-zh

通过分析 WSDL 定义,测试 XML 注入(XML Injection)、XXE、WS-Security 绕过和 SOAPAction 欺骗,对 SOAP Web 服务执行安全测试。

performing-service-account-credential-rotation

9
from killvxk/cybersecurity-skills-zh

跨 Active Directory、云平台和应用程序数据库自动化服务账户凭据轮换,消除陈旧密钥并降低泄露风险。

performing-service-account-audit

9
from killvxk/cybersecurity-skills-zh

审计企业基础设施中的服务账户,识别孤立账户、过度特权账户和不合规账户。本技能涵盖在 Active Directory、云平台中发现服务账户,评估权限级别,识别缺失负责人,以及执行生命周期策略。

implementing-privileged-identity-management-with-azure

9
from killvxk/cybersecurity-skills-zh

使用 Microsoft Graph API 配置 Azure AD 特权身份管理(PIM),管理符合条件的角色分配、即时激活、访问审查,以及用于零信任特权访问的角色管理策略。

implementing-mtls-for-zero-trust-services

9
from killvxk/cybersecurity-skills-zh

使用 Python cryptography 库进行证书生成,使用 ssl 模块进行 TLS 验证, 配置微服务之间的双向 TLS(mTLS)身份验证。验证证书链、检查过期情况, 并审计 mTLS 部署状态。适用于实现零信任服务间身份验证的场景。

implementing-conditional-access-policies-azure-ad

9
from killvxk/cybersecurity-skills-zh

为零信任访问控制配置 Microsoft Entra ID(Azure AD)条件访问策略,涵盖基于信号的策略设计、设备合规要求、基于风险的认证、命名位置、会话控制以及与 NIST SP 1800-35 零信任架构的集成。

implementing-azure-defender-for-cloud

9
from killvxk/cybersecurity-skills-zh

实施 Microsoft Defender for Cloud,为虚拟机、容器、数据库和存储启用云安全态势管理和工作负载保护,配置安全建议,并通过自动修复设置自适应安全控制。

implementing-azure-ad-privileged-identity-management

9
from killvxk/cybersecurity-skills-zh

配置 Microsoft Entra 特权身份管理(PIM)以强制执行即时角色激活(Just-in-Time)、审批工作流和 Azure AD 特权角色的访问审查。

implementing-api-abuse-detection-with-rate-limiting

9
from killvxk/cybersecurity-skills-zh

使用令牌桶、滑动窗口和自适应速率限制算法实现API滥用检测,防止DDoS、暴力破解和凭据填充攻击。

hunting-for-unusual-service-installations

9
from killvxk/cybersecurity-skills-zh

通过解析系统事件日志中的事件 ID 7045、分析服务二进制路径并识别持久化机制指标,检测可疑 Windows 服务安装(MITRE ATT&CK T1543.003)。

exploiting-constrained-delegation-abuse

9
from killvxk/cybersecurity-skills-zh

利用活动目录中的 Kerberos 约束委派(Constrained Delegation)错误配置,通过 S4U2self 和 S4U2proxy 扩展模拟特权用户,实现横向移动和权限提升。

exploiting-active-directory-certificate-services-esc1

9
from killvxk/cybersecurity-skills-zh

在授权红队评估中,利用活动目录证书服务(AD CS)的 ESC1 错误配置漏洞,以高权限用户身份申请证书并提升域权限。