Application Using Device Code Authentication Flow

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Sigma rule (View on GitHub)

 1title: Application Using Device Code Authentication Flow
 2id: 248649b7-d64f-46f0-9fb2-a52774166fb5
 3status: test
 4description: |
 5    Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
 6    If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
 7    This can be a misconfigured application or potentially something malicious.    
 8references:
 9    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
10author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
11date: 2022-06-01
12tags:
13    - attack.t1078
14    - attack.defense-evasion
15    - attack.persistence
16    - attack.privilege-escalation
17    - attack.initial-access
18logsource:
19    product: azure
20    service: signinlogs
21detection:
22    selection:
23        properties.message: Device Code
24    condition: selection
25falsepositives:
26    - Applications that are input constrained will need to use device code flow and are valid authentications.
27level: medium

References

Related rules

to-top