New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Sigma rule (View on GitHub)
1title: New Root Certificate Authority Added
2id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
3status: test
4description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
5references:
6 - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
7 - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
8author: Harjot Shah Singh, '@cyb3rjy0t'
9date: 2024-03-26
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1556
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 OperationName: 'Set Company Information'
20 TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment…
Read More -
Azure AD Certificate-Based Authentication is now in public preview, with a surprisingly good documentation. Usually I have to guess how 50% of a feature actually works, but this time they have gone…
Read More
Related rules
- Certificate-Based Authentication Enabled
- AWS Identity Center Identity Provider Change
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons