New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Sigma rule (View on GitHub)
1title: New Root Certificate Authority Added
2id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
3status: test
4description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
5references:
6 - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
7 - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
8author: Harjot Shah Singh, '@cyb3rjy0t'
9date: 2024-03-26
10tags:
11 - attack.defense-evasion
12 - attack.credential-access
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.t1556
16logsource:
17 product: azure
18 service: auditlogs
19detection:
20 selection:
21 OperationName: 'Set Company Information'
22 TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
How Certificate Based Authentication works, passwordless persistence with CBA, passwordless privilege escalation, prevention, detection, and more.
Read More -
Azure AD Certificate-Based Authentication is now in public preview, with a surprisingly good documentation. Usually I have to guess how 50% of a feature actually works, but this time they have gone…
Read More
Related rules
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Certificate-Based Authentication Enabled
- Change to Authentication Method
- User Added To Group With CA Policy Modification Access