Add Application
Azure
Add Application
Event
Creates and registers a new application in Microsoft Entra ID, establishing an identity that can authenticate and request access tokens.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
Log Source
Entra ID Audit Logs
Sample Event
Compromised account draco@fantasticlogs.cloud registers a new Entra ID application named BoggartImpersonator from the adversary’s egress IP — the first leg of the classic app + service-principal + credential persistence chain (T1098).
{ "id": "Directory_90000000-0000-4000-8000-001010011011_4C2E9_77298311", "category": "ApplicationManagement", "correlationId": "90000000-0000-4000-8000-001010011011", "result": "success", "resultReason": "", "activityDisplayName": "Add application", "activityDateTime": "2026-04-15T15:42:09.5162088Z", "loggedByService": "Core Directory", "operationType": "Add", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "40000000-0000-4000-8000-001010011010", "displayName": "BoggartImpersonator", "type": "Application", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "AppAddress", "oldValue": "[]", "newValue": "[{\"AddressType\":0,\"Address\":\"https://login.microsoftonline.com/common/oauth2/nativeclient\"}]" }, { "displayName": "AppId", "oldValue": "[]", "newValue": "[\"40000000-0000-4000-8000-001010011010\"]" }, { "displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"BoggartImpersonator\"]" }, { "displayName": "AvailableToOtherTenants", "oldValue": "[]", "newValue": "[false]" }, { "displayName": "SignInAudience", "oldValue": "[]", "newValue": "[\"AzureADMyOrg\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AppAddress, AppId, DisplayName, AvailableToOtherTenants, SignInAudience\"" } ] } ], "additionalDetails": [ { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...