New Root Certificate Authority Added

 1title: New Root Certificate Authority Added
 2id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
 3status: test
 4description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
 5references:
 6    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
 7    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
 8author: Harjot Shah Singh, '@cyb3rjy0t'
 9date: 2024/03/26
10tags:
11    - attack.persistence
12    - attack.privilege_escalation
13    - attack.t1556
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        OperationName: 'Set Company Information'
20        TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
21    condition: selection
22falsepositives:
23    - Unknown
24level: medium

References

• Passwordless Persistence and Privilege Escalation in Azure

  

  Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment…

  
  Read More

• Digging into Azure AD Certificate-Based Authentication

  

  Azure AD Certificate-Based Authentication is now in public preview, with a surprisingly good documentation. Usually I have to guess how 50% of a feature actually works, but this time they have gone…

  
  Read More

Related rules

• Certificate-Based Authentication Enabled
• New TimeProviders Registered With Uncommon DLL Name
• AppInit DLL Installation
• Non-Microsoft App Package Installation Process
• Non-depmod Process Modifying modules.dep