New Root Certificate Authority Added

Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.

Sigma rule (View on GitHub)

 1title: New Root Certificate Authority Added
 2id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
 3status: test
 4description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
 5references:
 6    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
 7    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
 8author: Harjot Shah Singh, '@cyb3rjy0t'
 9date: 2024-03-26
10tags:
11    - attack.persistence
12    - attack.privilege-escalation
13    - attack.t1556
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        OperationName: 'Set Company Information'
20        TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
21    condition: selection
22falsepositives:
23    - Unknown
24level: medium

References

Related rules

to-top