Primary Refresh Token Access Attempt

Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft

Sigma rule (View on GitHub)

 1title: Primary Refresh Token Access Attempt
 2id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1
 3status: test
 4description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
 7    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 9date: 2023-09-07
10tags:
11    - attack.t1528
12    - attack.credential-access
13logsource:
14    product: azure
15    service: riskdetection
16detection:
17    selection:
18        riskEventType: 'attemptedPrtAccess'
19    condition: selection
20falsepositives:
21    - This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.
22level: high

References

Related rules

to-top