Adversaries may add uncommon credential types to applications as part of lateral movement or persistence, leveraging these credentials to maintain access within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Nobelium campaign activity and mitigate unauthorized access risks.
KQL Query
CloudAppEvents
| where Application == "Office 365"
| where ActionType in ("Add service principal credentials.", "Update application - Certificates and secrets management ")
| project Timestamp, RawEventData, AccountDisplayName, ActionType, AccountObjectId
| extend ModifiedProperties = RawEventData.ModifiedProperties[0]
| extend NewValue = ModifiedProperties.NewValue, OldValue = ModifiedProperties.OldValue, Name = ModifiedProperties.Name
| project Timestamp, AccountDisplayName, ActionType, NewValue, OldValue, RawEventData, AccountObjectId
| where (NewValue has "KeyType=Password" and OldValue !has "KeyType=Password" and OldValue has "AsymmetricX509Cert") or (NewValue has "AsymmetricX509Cert" and OldValue !has "AsymmetricX509Cert" and OldValue has "KeyType=Password")
| extend NewSecret = set_difference(todynamic(parse_json(tostring(NewValue))), todynamic(parse_json(tostring(OldValue))))
| project Timestamp,ActionType,ActorType = RawEventData.Actor[-1].ID, ObjectId = RawEventData.Actor[-2].ID, AccountDisplayName, AccountObjectId, AppnName = RawEventData.Target[3].ID, AppObjectId = RawEventData.Target[1].ID, NewSecret = NewSecret[0], RawEventData
id: 63a191f4-a0ad-4ed7-b994-24ffc89b3596
name: Add uncommon credential type to application [Nobelium]
description: |
The query looks for users or service principals that attached an uncommon credential type to application.
As part of the Nobelium campaign, the attacker added credentials to already existing applications and used the application permissions to extract users' mails.
See How to: Use the portal to create an Microsoft Entra ID application and service principal that can access resources.
Reference - https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege escalation
tags:
- Nobelium
query: |
CloudAppEvents
| where Application == "Office 365"
| where ActionType in ("Add service principal credentials.", "Update application - Certificates and secrets management ")
| project Timestamp, RawEventData, AccountDisplayName, ActionType, AccountObjectId
| extend ModifiedProperties = RawEventData.ModifiedProperties[0]
| extend NewValue = ModifiedProperties.NewValue, OldValue = ModifiedProperties.OldValue, Name = ModifiedProperties.Name
| project Timestamp, AccountDisplayName, ActionType, NewValue, OldValue, RawEventData, AccountObjectId
| where (NewValue has "KeyType=Password" and OldValue !has "KeyType=Password" and OldValue has "AsymmetricX509Cert") or (NewValue has "AsymmetricX509Cert" and OldValue !has "AsymmetricX509Cert" and OldValue has "KeyType=Password")
| extend NewSecret = set_difference(todynamic(parse_json(tostring(NewValue))), todynamic(parse_json(tostring(OldValue))))
| project Timestamp,ActionType,ActorType = RawEventData.Actor[-1].ID, ObjectId = RawEventData.Actor[-2].ID, AccountDisplayName, AccountObjectId, AppnName = RawEventData.Target[3].ID, AppObjectId = RawEventData.Target[1].ID, NewSecret = NewSecret[0], RawEventData
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Credential Rotation
Description: A system administrator uses Azure Automation to rotate credentials for a legacy application. The new credential type (e.g., certificate-based authentication) is uncommon for the application.
Filter/Exclusion: aad_subject_type = 'user' and activity_name contains 'credential rotation' or caller_azure_guid in (list of admin service principals)
Scenario: Service Principal Created for DevOps Tool Integration
Description: A DevOps team creates a service principal for integrating with Azure DevOps or Jenkins, and attaches an uncommon credential type (e.g., certificate) for secure communication.
Filter/Exclusion: caller_azure_guid in (list of DevOps tool service principals) or activity_name contains 'DevOps integration'
Scenario: Admin Task to Secure Application with Certificate
Description: An admin manually configures an application to use a certificate-based credential for enhanced security, which is not typical for the application.
Filter/Exclusion: caller_azure_guid in (list of admin service principals) and activity_name contains 'secure application' or credential_type = 'certificate'
Scenario: Application Migration with New Credential Type
Description: During an application migration, an admin attaches a new credential type (e.g., SSH key) to the application as part of the migration process.
Filter/Exclusion: activity_name contains 'application migration' or caller_azure_guid in (list of migration tool service principals)
Scenario: Third-Party Service Integration with Uncommon Credential
Description: A third-party service (e.g., Okta, Ping Identity) is integrated with an application, and the integration requires an uncommon credential type (e.g., SAML token) for authentication.
Filter/Exclusion: `