Description: The Azure Login Certificate Canarytoken provides you with a valid config and login certificate. Leave them in private code repositories, leave them on a developer's machine. An attacker who stumbles on them will believe they are the keys to your Azure cloud infrastructure. If they are used to login to Azure at any point, you will be alerted.

The great thing is that you don't need Azure in your environment to use this token, and there’s no way for an attacker to use it without setting off an alert.

Note: These alerts first pass through Azure logging infrastructure and can take up to 10 minutes to alert.

Follow the steps below to create a an Azure Login Certificate Canarytoken:

Step 1:

Log in to your Console.

Step 2:

Select the Canarytokens tile. 

Step 3:

Select the Azure Login Certificate token from the list.

Step 4:

Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.

You will also need to choose the name of the certificate (.pem). You may change this at anytime, but you will notice that the Azure login config that we display contains that file name as a breadcrumb for attackers.

Note: we chose Azure Login Certificate on Jim's Laptop as the reminder and we chose azure-prod.pem as the certificate file name.

Step 5:

1. Copy the client config and place them in their intended location
2. Download a ZIP file containing both the client config and the Azure Certificate

You will notice we are showing what a typical Azure config file would look like with the necessary information to use your Canarytoken. You should place it nearby your Azure Login Certificate.

Note: The download comes in a ZIP file that will contain both the client config and Azure Login Certificate linked to your Canarytoken. The file is formatted such that it looks like a legitimate Azure Login Certificate file for a service principal.

Alert:

You can use the following command (substitute the appID, certificate name and tenant fields in the below for the values in your Token) to authenticate to Azure using a Azure Login Certificate:

az login --service-principal -u appId -p certname.pem --tenant tenant

An alert will be triggered when the Azure Login Certificate is used to login to Azure

That's it, you're done ;-)