Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
Sigma rule (View on GitHub)
1title: Certificate-Based Authentication Enabled
2id: c2496b41-16a9-4016-a776-b23f8910dc58
3status: test
4description: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
5references:
6 - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
7 - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
8author: Harjot Shah Singh, '@cyb3rjy0t'
9date: 2024/03/26
10tags:
11 - attack.persistence
12 - attack.privilege_escalation
13 - attack.t1556
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 OperationName: 'Authentication Methods Policy Update'
20 TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment…
Read More -
Azure AD Certificate-Based Authentication is now in public preview, with a surprisingly good documentation. Usually I have to guess how 50% of a feature actually works, but this time they have gone…
Read More
Related rules
- New Root Certificate Authority Added
- New TimeProviders Registered With Uncommon DLL Name
- AppInit DLL Installation
- Non-Microsoft App Package Installation Process
- Non-depmod Process Modifying modules.dep