During the work on Azure AD – Attack and Defense Playbook (1) there was rather nice byproduct – a simple, yet effective query for detecting potential misuse of SPN (service connection) related to Azure DevOps pipelines.
The analytic works to detect a scenario where access token for service Principal is used from different origin than it was requested from, and maps it with entity mapping to the resources and accounts.
(1) Azure AD - Attack and Defense Playbook is community collaboration project. Check the Contributors
Following the attackers path – Azure Sentinel Analytics
Azure Sentinel Analytics has one really cool feature which we are using here, Entity Mapping (read about entity mapping) – Entity mapping allows us to create graph for the attackers path showing affected resources)
The alert uses following entities AzureResourceID, Account and process (process is only used to surface the action on ActivityLog – it’s not directly meant for this use case, but maps nicely the operations performed on Azure Resource Manager.
Account allows us to track the actions performed by Azure Devops connection with its objectId across multiple logs ( in a single view! )
Azure ResourceID allows us to track all events for the resources which were part of the attackers path
Query and analytics rule
Query is meant to use in access token lifetime period, to uphold the correlation. I did not do extensive QA for it, but once I kicked the poisoned pipeline, it certainly alerted me 🙂
AzureActivity | extend parsedClaims = parse_json(Claims_d) | extend appid = tostring(parsedClaims.appid) | extend activityResource = tostring(parsedClaims.aud) | extend activityCor = CorrelationId | join kind=inner AADServicePrincipalSignInLogs on $left.appid == $right.AppId | project TimeInActivityLog = TimeGenerated, TimeInSPNLog = TimeGenerated1, ServicePrincipalId, OperationNameValue, ipActivity = CallerIpAddress, ipfromSpn= IPAddress, appid, ResourceDisplayName, activityResource, tostring(parse_json(Authorization).evidence.role), _ResourceId | where ipActivity != ipfromSpn
End of blog
Azure Sentinel Entity mapping is total game changer for me. Will be looking forward to any new developments in this space.