Applications That Are Using ROPC Authentication Flow

Aug 12, 2024 · attack.t1078 attack.defense-evasion attack.persistence attack.privilege-escalation attack.initial-access ·

Share on:

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Sigma rule (View on GitHub)

 1title: Applications That Are Using ROPC Authentication Flow
 2id: 55695bc0-c8cf-461f-a379-2535f563c854
 3status: test
 4description: |
 5    Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
 6    The application then uses those credentials to authenticate the user against the identity provider.    
 7references:
 8    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
 9author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
10date: 2022-06-01
11tags:
12    - attack.t1078
13    - attack.defense-evasion
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.initial-access
17logsource:
18    product: azure
19    service: signinlogs
20detection:
21    selection:
22        properties.message: ROPC
23    condition: selection
24falsepositives:
25    - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
26level: medium

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Applications That Are Using ROPC Authentication Flow

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules