First Occurrence of Entra ID Auth via DeviceCode Protocol

calendar Nov 11, 2024 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Use Case: Identity and Access Audit Tactic: Credential Access  ·
Share on: linkedin copy

Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/10/14"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/10/14"
 6
 7[rule]
 8author = ["Elastic", "Matteo Potito Giorgio"]
 9description = """
10Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
11"""
12from = "now-9m"
13index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
17references =[
18    "https://aadinternals.com/post/phishing/", 
19    "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/"
20]
21risk_score = 47
22rule_id = "af22d970-7106-45b4-b5e3-460d15333727"
23setup = """
24This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.
25"""
26severity = "medium"
27tags = [
28    "Domain: Cloud",
29    "Data Source: Azure",
30    "Data Source: Microsoft Entra ID",
31    "Use Case: Identity and Access Audit",
32    "Tactic: Credential Access",
33]
34timestamp_override = "event.ingested"
35type = "new_terms"
36
37query = '''
38 event.dataset:(azure.activitylogs or azure.signinlogs) and 
39     (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode) and event.outcome:success
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1528"
47name = "Steal Application Access Token"
48reference = "https://attack.mitre.org/techniques/T1528/"
49
50
51[rule.threat.tactic]
52id = "TA0006"
53name = "Credential Access"
54reference = "https://attack.mitre.org/tactics/TA0006/"
55
56
57[rule.new_terms]
58field = "new_terms_fields"
59value = ["azure.signinlogs.properties.user_principal_name"]
60[[rule.new_terms.history_window_start]]
61field = "history_window_start"
62value = "now-14d"

References

  • Introducing a new phishing technique for compromising Office 365 accounts

    The ongoing global phishing campaings againts Microsoft 365 have used various phishing techniques. Currently attackers are utilising forged login sites and OAuth app consents. In this blog, I’ll introduce a new phishing technique based on Azure AD device code authentication flow. I’ll also provide instructions on how to detect usage of compromised credentials and what to do to prevent phishing using the new technique.


    Read More

  • Dynamic Device Code Phishing  - Black Hills Information Security

    rvrsh3ll //  Introduction  This blog post is intended to give a light overview of device codes, access tokens, and refresh tokens. Here, I focus on the technical how-to for standing […]


    Read More

Related rules

to-top