Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Sigma rule (View on GitHub)
1title: Application Using Device Code Authentication Flow
2id: 248649b7-d64f-46f0-9fb2-a52774166fb5
3status: test
4description: |
5 Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
6 If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
7 This can be a misconfigured application or potentially something malicious.
8references:
9 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
10author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
11date: 2022-06-01
12tags:
13 - attack.t1078
14 - attack.defense-evasion
15 - attack.persistence
16 - attack.privilege-escalation
17 - attack.initial-access
18logsource:
19 product: azure
20 service: signinlogs
21detection:
22 selection:
23 properties.message: Device Code
24 condition: selection
25falsepositives:
26 - Applications that are input constrained will need to use device code flow and are valid authentications.
27level: medium
References
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel
- Azure AD Threat Intelligence