Skip to main content

Search

How do I create an Azure Login Certificate Canarytoken?

  • Updated

Description: The Azure Login Certificate Canarytoken provides you with a valid config and login certificate. Leave them in private code repositories, leave them on a developer's machine. An attacker who stumbles on them will believe they are the keys to your Azure cloud infrastructure. If they are used to login to Azure at any point, you will be alerted.

Note: These alerts first pass through Azure logging infrastructure and can take up to 10 minutes to alert.

 Follow the steps below to create a an Azure Login Certificate Canarytoken:

Step 1:

Log in to your Console.

Canary_Login_.png

Step 2:

Select the Canarytokens tile. 

Token_Tile.png

Step 3:

Select the Azure Login Certificate token from the list.

Screen_Shot_2022-09-28_at_6.34.25_PM.png

Step 4:

Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.

You will also need to choose the name of the certificate (.pem). You may change this at anytime, but you will notice that the Azure login config that we display contains that file name as a breadcrumb for attackers.

Note: we chose "Azure Login Certificate on Jim's Laptop" as the reminder and we chose "azure-prod.pem" as the certificate file name.

Screen_Shot_2022-09-28_at_6.36.15_PM.png

Step 5:

Download the certificate, copy the client config and place them in their intended location. You will notice we are showing what a typical Azure config file would look like with the necessary information to use your Canarytoken. You should place it nearby your Azure Login Certificate.

Note: The file downloaded contains the Azure Login Certificate linked to your Canarytoken. The file is formatted such that it looks like a legitimate Azure Login Certificate file for a service principal.

Screen_Shot_2022-09-28_at_6.43.08_PM.png

Alert:

You can use the following command (substitute the variables) to authenticate to Azure using a Azure Login Certificate:

az login --service-principal -u $(appId) -p azure-prod.pem --tenant $(tenant)

An alert will be triggered when the Azure Login Certificate is used to login to Azure

Screen_Shot_2022-09-28_at_7.50.05_PM.png

You're done! ;-)

 

 

Was this article helpful?
1 out of 1 found this helpful
Return to top