detecting-azure-service-principal-abuse
CommunityDetect Azure SP abuse and credential risks.
AuthorYukiIto1999
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Azure AD service principals are frequently abused for credential compromise, privilege escalation, and persistence. This skill provides a structured detection and investigative workflow to identify and assess such abuse in Microsoft Entra ID environments.
Core Features & Use Cases
- Credential monitoring: detects newly added credentials and expiring credentials on service principals.
- Privileged role checks: flags service principals with high-privilege roles.
- Ownership and access review: identifies anomalous or excessive application owners.
- Sign-in and activity correlation: correlates audit and sign-in data for suspicious patterns.
- Workflow guidance: guides end-to-end investigation and containment steps.
Quick Start
Instruct the agent to scan Azure AD for recently added credentials, privileged role assignments, and unusual SP ownership within your Entra ID tenant.
Dependency Matrix
Required Modules
requestsazure-identity
Components
scriptsreferences
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: detecting-azure-service-principal-abuse Download link: https://github.com/YukiIto1999/ctf-sleuth/archive/main.zip#detecting-azure-service-principal-abuse Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.