Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An Azure Service Principal token was used externally of the cloud environment.
Attacker's Goals
Exfiltrate valid token and abuse it remotely.
Investigative actions
- Verify whether the Service Principal should be used remotely.
- Check what API calls were executed by the Service Principal.
- Determine whether the Service Principal is compromised.
Variations
Remote usage of an Azure Service Principal token from an unusual ASNRemote usage of an Azure Service Principal token from an unusual IP