Potential Azure Browser SSO Abuse
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
Sigma rule (View on GitHub)
1title: Potential Azure Browser SSO Abuse
2id: 50f852e6-af22-4c78-9ede-42ef36aa3453
3status: test
4description: |
5 Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
6 An attacker can use this to authenticate to Azure AD in a browser as that user.
7references:
8 - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
9author: Den Iuzvyk
10date: 2020-07-15
11modified: 2023-04-18
12tags:
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded: 'C:\Windows\System32\MicrosoftAccountTokenProvider.dll'
22 filter_main_bgtaskhost:
23 Image|startswith:
24 - 'C:\Windows\System32\'
25 - 'C:\Windows\SysWOW64\'
26 Image|endswith: '\BackgroundTaskHost.exe'
27 # CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider'
28 filter_optional_devenv:
29 Image|startswith:
30 - 'C:\Program Files\Microsoft Visual Studio\'
31 - 'C:\Program Files (x86)\Microsoft Visual Studio\'
32 Image|endswith: '\IDE\devenv.exe'
33 filter_optional_ie:
34 Image:
35 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
36 - 'C:\Program Files\Internet Explorer\iexplore.exe'
37 filter_optional_edge_1:
38 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
39 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
40 - Image:
41 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
42 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
43 filter_optional_edge_2:
44 Image|startswith:
45 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
46 - 'C:\Program Files\Microsoft\EdgeCore\'
47 Image|endswith:
48 - '\msedge.exe'
49 - '\msedgewebview2.exe'
50 filter_optional_onedrive:
51 Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
52 filter_optional_null:
53 Image: null
54 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
55falsepositives:
56 - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity
57level: low
References
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload