Detectionmediumtest

New Root Certificate Authority Added

Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Harjot Shah SinghCreated Tue Mar 264bb80281-3756-4ec8-a88e-523c5a6fda9ecloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        OperationName: 'Set Company Information'
        TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0006 · Credential Access TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1556 · Modify Authentication Process

Rule Metadata

Rule ID

4bb80281-3756-4ec8-a88e-523c5a6fda9e

Status

test

Level

medium

Type

Detection

Created

Tue Mar 26

Author

Harjot Shah Singh

Path

rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml

Raw Tags

attack.defense-evasionattack.credential-accessattack.persistenceattack.privilege-escalationattack.t1556

View on GitHub