Entra ID Device Code Auth with Broker Client

Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/06/24"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/06/26"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).
11"""
12from = "now-9m"
13index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Entra ID Device Code Auth with Broker Client"
17references =[
18    "https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf",
19    "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in",
20    "https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs"
21]
22risk_score = 47
23rule_id = "a83b3dac-325a-11ef-b3e6-f661ea17fbce"
24setup = """
25This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.
26"""
27severity = "medium"
28tags = [
29    "Domain: Cloud",
30    "Data Source: Azure",
31    "Data Source: Microsoft Entra ID",
32    "Use Case: Identity and Access Audit",
33    "Tactic: Credential Access",
34]
35timestamp_override = "event.ingested"
36type = "query"
37
38query = '''
39 event.dataset:(azure.activitylogs or azure.signinlogs)
40    and azure.signinlogs.properties.authentication_protocol:deviceCode
41    and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e
42    and event.outcome:success or (
43        azure.activitylogs.properties.appId:29d9ed98-a469-4536-ade2-f981bc1d605e
44        and azure.activitylogs.properties.authentication_protocol:deviceCode)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1528"
52name = "Steal Application Access Token"
53reference = "https://attack.mitre.org/techniques/T1528/"
54
55
56[rule.threat.tactic]
57id = "TA0006"
58name = "Credential Access"
59reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top