{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/certificate-based-authentication/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","certificate-based-authentication","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCertificate-Based Authentication (CBA) in Azure Active Directory allows users and services to authenticate using digital certificates instead of passwords. While intended to enhance security, misconfiguration or malicious use of CBA can lead to significant security risks. Attackers can exploit CBA to gain unauthorized access, establish persistent footholds, and escalate privileges within the Azure environment. This involves manipulating authentication policies to favor or require certificate authentication, potentially bypassing other security controls. Detection of CBA enablement is crucial as it can be a precursor to more sophisticated attacks targeting cloud resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account with sufficient privileges to modify authentication policies (e.g., Global Administrator).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Azure AD authentication methods policy to enable certificate-based authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a certificate authority (CA) in Azure AD, which will be used to issue certificates for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or compromises a certificate that is trusted by the registered CA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted certificate to authenticate to Azure AD, bypassing traditional password-based authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly gained access to provision new resources, modify existing configurations, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating service principals or applications that authenticate using certificates, allowing them to maintain access even if the initial account is compromised.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CBA can lead to full compromise of an Azure AD tenant. Attackers can gain access to sensitive data, disrupt services, and deploy malicious applications. The lack of multi-factor authentication on certificate-based logins significantly increases the risk of unauthorized access. The impact can range from data breaches and financial losses to complete operational shutdown, depending on the scope of the compromised resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect when certificate-based authentication is enabled in Azure AD (\u003ccode\u003eAuthentication Methods Policy Update\u003c/code\u003e in Audit Logs).\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for modifications to authentication methods policies, paying close attention to changes related to certificate-based authentication.\u003c/li\u003e\n\u003cli\u003eImplement strong certificate management practices, including proper key storage, certificate revocation, and monitoring of certificate usage.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexpected changes to Azure AD authentication policies or the registration of new certificate authorities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T14:30:00Z","date_published":"2024-04-29T14:30:00Z","id":"/briefs/2024-04-azure-ad-cba-enabled/","summary":"Enabling certificate-based authentication (CBA) in Azure Active Directory can be abused by attackers to establish persistence, escalate privileges, and impair defenses.","title":"Azure AD Certificate-Based Authentication Enabled","url":"https://feed.craftedsignal.io/briefs/2024-04-azure-ad-cba-enabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Certificate-Based-Authentication","version":"https://jsonfeed.org/version/1.1"}