Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
Sigma rule (View on GitHub)
1title: Certificate-Based Authentication Enabled
2id: c2496b41-16a9-4016-a776-b23f8910dc58
3status: test
4description: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
5references:
6 - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
7 - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
8author: Harjot Shah Singh, '@cyb3rjy0t'
9date: 2024-03-26
10tags:
11 - attack.defense-evasion
12 - attack.credential-access
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.t1556
16logsource:
17 product: azure
18 service: auditlogs
19detection:
20 selection:
21 OperationName: 'Authentication Methods Policy Update'
22 TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
How Certificate Based Authentication works, passwordless persistence with CBA, passwordless privilege escalation, prevention, detection, and more.
Read More -
Azure AD Certificate-Based Authentication is now in public preview, with a surprisingly good documentation. Usually I have to guess how 50% of a feature actually works, but this time they have gone…
Read More
Related rules
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Change to Authentication Method
- New Root Certificate Authority Added
- User Added To Group With CA Policy Modification Access