Adversaries may embed hard-coded credentials in Copilot Studio AI agents to maintain persistent access or exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and remediate potential credential exposure and reduce the risk of long-term compromise.
KQL Query
let suspicious_patterns = @"(AKIA[0-9A-Z]{16})|(AIza[0-9A-Za-z_\-]{35})|(xox[baprs]-[0-9a-zA-Z]{10,48})|(ghp_[A-Za-z0-9]{36,59})|(sk_(live|test)_[A-Za-z0-9]{24})|(SG\.[A-Za-z0-9]{22}\.[A-Za-z0-9]{43})|(\d{8}:[\w\-]{35})|(eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)|(Authorization\s*:\s*Basic\s+[A-Za-z0-9=:+]+)|([A-Za-z]+:\/\/[^\/\s]+:[^\/\s]+@[^\/\s]+)";
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mv-expand tool = AgentToolsDetails
| mv-expand topic = AgentTopicsDetails
| where isnotempty(tool) and isnotempty(topic)
| where tool matches regex suspicious_patterns or topic matches regex suspicious_patterns
| extend SuspiciousMatchTool = tool, SuspiciousMatchTopic = topic
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, SuspiciousMatchTool, SuspiciousMatchTopic
id: 3a5b2c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d
name: Copilot Studio AI Agents - Hard-coded credentials in Topics or Actions
description: |
This query identifies Copilot Studio AI agents that contain hard-coded credentials in Topics or Actions.
Storing credentials in clear text within agent logic creates a security risk because these secrets can be exposed to unintended users or attackers.
If compromised, credentials could allow unauthorized access to external systems, APIs, or sensitive data.
Recommended Action: Avoid embedding credentials directly in Topics or Actions. Use secure alternatives
such as Azure Key Vault with environment variables or enable secured input options for sensitive fields.
Regularly audit agents for hard-coded secrets and rotate any exposed credentials immediately.
requiredDataConnectors: []
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1552
- T1078
query: |
let suspicious_patterns = @"(AKIA[0-9A-Z]{16})|(AIza[0-9A-Za-z_\-]{35})|(xox[baprs]-[0-9a-zA-Z]{10,48})|(ghp_[A-Za-z0-9]{36,59})|(sk_(live|test)_[A-Za-z0-9]{24})|(SG\.[A-Za-z0-9]{22}\.[A-Za-z0-9]{43})|(\d{8}:[\w\-]{35})|(eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)|(Authorization\s*:\s*Basic\s+[A-Za-z0-9=:+]+)|([A-Za-z]+:\/\/[^\/\s]+:[^\/\s]+@[^\/\s]+)";
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mv-expand tool = AgentToolsDetails
| mv-expand topic = AgentTopicsDetails
| where isnotempty(tool) and isnotempty(topic)
| where tool matches regex suspicious_patterns or topic matches regex suspicious_patterns
| extend SuspiciousMatchTool = tool, SuspiciousMatchTopic = topic
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, SuspiciousMatchTool, SuspiciousMatchTopic
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0Scenario: Admin configures a scheduled job to monitor system health using a service account with credentials stored in a secure vault, but the credentials are mistakenly hardcoded in a Copilot Studio Action for testing purposes.
Filter/Exclusion: Exclude actions where the credential field is labeled as secure_vault_token or contains a known secure vault reference.
Scenario: A developer uses a CI/CD pipeline to deploy a Copilot Studio agent, and the pipeline script includes hardcoded credentials for a test environment.
Filter/Exclusion: Exclude actions where the credential is part of a CI/CD pipeline variable or referenced via an environment variable like CI_PIPELINE_TOKEN.
Scenario: A system administrator creates a Copilot Studio agent to send alerts to a monitoring tool, and the agent’s action includes a hardcoded API key for the monitoring service.
Filter/Exclusion: Exclude actions where the credential is associated with a monitoring tool (e.g., Prometheus, Datadog) and is stored in a configuration file or environment variable.
Scenario: A DevOps team uses a script to automate the creation of Copilot Studio agents for multiple environments, and the script inadvertently includes hardcoded credentials for a staging environment.
Filter/Exclusion: Exclude actions where the credential is part of a script or automation tool (e.g., Ansible, Terraform) and is not stored in clear text.
Scenario: A security team sets up a Copilot Studio agent to audit user activity, and the agent’s topic includes a hardcoded API key for a third-party logging service.
Filter/Exclusion: Exclude topics where the credential is associated with a logging service (e.g., Splunk, ELK) and is stored in a secure configuration or external service.