Attack Chain

1. An attacker gains initial access to an Azure AD account with sufficient privileges to modify authentication policies (e.g., Global Administrator).
2. The attacker modifies the Azure AD authentication methods policy to enable certificate-based authentication.
3. The attacker registers a certificate authority (CA) in Azure AD, which will be used to issue certificates for authentication.
4. The attacker crafts or compromises a certificate that is trusted by the registered CA.
5. The attacker uses the crafted certificate to authenticate to Azure AD, bypassing traditional password-based authentication.
6. The attacker leverages the newly gained access to provision new resources, modify existing configurations, or access sensitive data.
7. The attacker establishes persistence by creating service principals or applications that authenticate using certificates, allowing them to maintain access even if the initial account is compromised.

Impact

Successful exploitation of CBA can lead to full compromise of an Azure AD tenant. Attackers can gain access to sensitive data, disrupt services, and deploy malicious applications. The lack of multi-factor authentication on certificate-based logins significantly increases the risk of unauthorized access. The impact can range from data breaches and financial losses to complete operational shutdown, depending on the scope of the compromised resources.

Recommendation

• Deploy the Sigma rule to detect when certificate-based authentication is enabled in Azure AD (Authentication Methods Policy Update in Audit Logs).
• Monitor Azure AD audit logs for modifications to authentication methods policies, paying close attention to changes related to certificate-based authentication.
• Implement strong certificate management practices, including proper key storage, certificate revocation, and monitoring of certificate usage.
• Investigate any unexpected changes to Azure AD authentication policies or the registration of new certificate authorities.