First Occurrence of Entra ID Auth via DeviceCode Protocol

 1[metadata]
 2creation_date = "2024/10/14"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic", "Matteo Potito Giorgio"]
 9description = """
10Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
11"""
12from = "now-9m"
13index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
17references =[
18    "https://aadinternals.com/post/phishing/",
19    "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/"
20]
21risk_score = 47
22rule_id = "af22d970-7106-45b4-b5e3-460d15333727"
23setup = """
24This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.
25"""
26severity = "medium"
27tags = [
28    "Domain: Cloud",
29    "Data Source: Azure",
30    "Data Source: Microsoft Entra ID",
31    "Use Case: Identity and Access Audit",
32    "Tactic: Credential Access",
33    "Resources: Investigation Guide",
34]
35timestamp_override = "event.ingested"
36type = "new_terms"
37
38query = '''
39 event.dataset:(azure.activitylogs or azure.signinlogs) and
40     (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode) and event.outcome:success
41'''
42note = """## Triage and analysis
43
44> **Disclaimer**:
45> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
46
47### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
48
49The DeviceCode protocol facilitates authentication for devices lacking keyboards, streamlining user access without manual credential entry. However, attackers can exploit this by phishing users to capture access tokens, enabling unauthorized access. The detection rule identifies new instances of this protocol use, flagging potential misuse by monitoring successful authentications within a 14-day window, thus aiding in early threat detection.
50
51### Possible investigation steps
52
53- Review the event logs to confirm the presence of the deviceCode protocol in the authentication process by checking the fields azure.signinlogs.properties.authentication_protocol or azure.activitylogs.properties.authentication_protocol.
54- Verify the event outcome by examining the event.outcome field to ensure the authentication was successful.
55- Identify the user associated with the authentication attempt and review their recent activity for any anomalies or signs of compromise.
56- Check the device information to determine if the authentication was performed on a device that typically lacks a keyboard, which would justify the use of the deviceCode protocol.
57- Investigate any recent phishing attempts or suspicious communications that could have targeted the user to capture their access tokens.
58- Assess the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
59
60### False positive analysis
61
62- Legitimate device setup activities may trigger alerts when new devices without keyboards are being configured. To manage this, maintain a list of known devices and exclude their initial setup from triggering alerts.
63- Regular use of shared devices in environments like conference rooms or kiosks can result in repeated alerts. Implement a policy to track and whitelist these shared devices to prevent unnecessary alerts.
64- Automated scripts or applications using the deviceCode protocol for legitimate purposes might be flagged. Identify and document these scripts, then create exceptions for their activity to avoid false positives.
65- Users who frequently travel and use different devices may trigger alerts. Monitor and verify these users' travel patterns and device usage, and consider excluding their known travel-related activities from the rule.
66
67### Response and remediation
68
69- Immediately revoke the access tokens associated with the suspicious deviceCode authentication to prevent further unauthorized access.
70- Conduct a thorough review of the affected user's account activity to identify any unauthorized actions or data access that may have occurred.
71- Reset the credentials of the affected user and enforce multi-factor authentication (MFA) to enhance account security.
72- Isolate any devices that were authenticated using the deviceCode protocol to prevent potential lateral movement within the network.
73- Notify the security operations team and escalate the incident to ensure a coordinated response and further investigation into potential phishing attempts.
74- Implement additional monitoring for anomalous deviceCode protocol usage across the organization to detect similar threats in the future.
75- Review and update access policies to restrict the use of the deviceCode protocol to only those devices and scenarios where it is absolutely necessary."""
76
77
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1528"
82name = "Steal Application Access Token"
83reference = "https://attack.mitre.org/techniques/T1528/"
84
85
86[rule.threat.tactic]
87id = "TA0006"
88name = "Credential Access"
89reference = "https://attack.mitre.org/tactics/TA0006/"
90
91
92[rule.new_terms]
93field = "new_terms_fields"
94value = ["azure.signinlogs.properties.user_principal_name"]
95[[rule.new_terms.history_window_start]]
96field = "history_window_start"
97value = "now-14d"