Azure Service Principal Credential Addition Detection Playbook

Detect the Persistence Technique the Azure Portal Won't Show You

Attackers add credentials directly to Service Principals via Graph API. These credentials don't show up in the Azure Portal. Your team doesn't know they exist. The attacker has persistent access to your environment.

This playbook catches them.

What's Inside:

✓ Production-Ready KQL Detection Scheduled alert rule that catches secondary credential additions while filtering out legitimate automation. Copy, tune your whitelist, deploy.

✓ Rapid Triage Framework Know immediately if it's a true positive or false positive. Decision tree for Identity Protection users AND manual baseline analysis for everyone else.

✓ Step-by-Step Investigation Queries Copy-paste KQL to identify privileged service principals, analyze credential patterns, check sign-in anomalies, and detect dormant SP activation.

✓ Containment Sequence Preserve evidence, revoke sessions, remove the malicious credential, disable if needed. PowerShell commands included.

✓ Incident Documentation Template Fill-in-the-blank template so you're not scrambling to document during an incident.

✓ Deployment Checklist Pre-deployment, Day 1, Week 1, Month 1. Know exactly what to do and when.

The Threat:

MITRE ATT&CK T1098.001 - Account Manipulation: Additional Cloud Credentials

Attackers compromise an account, add a credential to an existing service principal, and maintain access even after you reset passwords and revoke sessions. The credential is invisible in the Portal. Most teams never find it.

This detection finds it.

Format: Markdown (1,400+ lines)

Deploy time: Hours, not days

Preview Image:

Who Built This:

I'm Charles Garrett, a SecOps engineer who's built and tested hundreds of detections in financial services environments.

This playbook is tested in real Azure environments. No theory. No blog post speculation. Just a detection that works in production.

Want more playbooks?

I release a new detection playbook on the 1st of every month. Founding members get every playbook + vote on what gets built next.

Details at theadversarylab.com