Description: The Azure Login Certificate Canarytoken provides you with a valid config and login certificate. Leave them in private code repositories, leave them on a developer's machine. An attacker who stumbles on them will believe they are the keys to your Azure cloud infrastructure. If they are used to login to Azure at any point, you will be alerted.
Follow the steps below to create a an Azure Login Certificate Canarytoken:
Step 1:
Log in to your Console.
Step 2:
Select the Canarytokens tile.
Step 3:
Select the Azure Login Certificate token from the list.
Step 4:
Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.
You will also need to choose the name of the certificate (.pem). You may change this at anytime, but you will notice that the Azure login config that we display contains that file name as a breadcrumb for attackers.
Note: we chose "Azure Login Certificate on Jim's Laptop" as the reminder and we chose "azure-prod.pem" as the certificate file name.
Step 5:
Download the certificate, copy the client config and place them in their intended location. You will notice we are showing what a typical Azure config file would look like with the necessary information to use your Canarytoken. You should place it nearby your Azure Login Certificate.
Note: The file downloaded contains the Azure Login Certificate linked to your Canarytoken. The file is formatted such that it looks like a legitimate Azure Login Certificate file for a service principal.
Alert:
You can use the following command (substitute the variables) to authenticate to Azure using a Azure Login Certificate:
az login --service-principal -u $(appId) -p azure-prod.pem --tenant $(tenant)
An alert will be triggered when the Azure Login Certificate is used to login to Azure
You're done! ;-)