Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Sigma rule (View on GitHub)
1title: Applications That Are Using ROPC Authentication Flow
2id: 55695bc0-c8cf-461f-a379-2535f563c854
3status: test
4description: |
5 Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
6 The application then uses those credentials to authenticate the user against the identity provider.
7references:
8 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows
9author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
10date: 2022/06/01
11tags:
12 - attack.t1078
13 - attack.defense_evasion
14 - attack.persistence
15 - attack.privilege_escalation
16 - attack.initial_access
17logsource:
18 product: azure
19 service: signinlogs
20detection:
21 selection:
22 properties.message: ROPC
23 condition: selection
24falsepositives:
25 - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
26level: medium
References
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow
- Azure AD Threat Intelligence
- Activity From Anonymous IP Address
- Atypical Travel