You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The device code authentication flow is used by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
Even if device codes only last 15 minutes, attackers can automatically update them (see reference article).
Required Info
Target indexes
filebeat-*, logs-azure.*
Additional requirements
Target Operating Systems
Azure
Platforms
Azure
Tested ECS Version
8.11.0
Optional Info
Query
event.dataset:azure.signinlogs and azure.properties.authentication_protocol:"deviceCode" and event.outcome(Success or success)
New fields required in ECS/data sources for this rule?
Description
The device code authentication flow is used by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
Even if device codes only last 15 minutes, attackers can automatically update them (see reference article).
Required Info
Target indexes
filebeat-*, logs-azure.*
Additional requirements
Target Operating Systems
Azure
Platforms
Azure
Tested ECS Version
8.11.0
Optional Info
Query
event.dataset:azure.signinlogs and azure.properties.authentication_protocol:"deviceCode" and event.outcome(Success or success)
New fields required in ECS/data sources for this rule?
no
Related issues or PRs
References
https://aadinternals.com/post/phishing/
https://www.blackhillsinfosec.com/dynamic-device-code-phishing/
Example Data
{
"id": "816d3751-4665-4999-9aa5-4c1ff1fdce00",
"createdDateTime": "2024-04-11T15:05:26Z",
"userDisplayName": "prod prod",
"userPrincipalName": "admin@5cgj90.onmicrosoft.com",
"userId": "userId",
"appId": "appId",
"appDisplayName": "Microsoft Office",
"ipAddress": "189.127.81.187",
"ipAddressFromResourceProvider": null,
"clientAppUsed": "Mobile Apps and Desktop clients",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
"correlationId": "96a5ab74-b77c-47fd-995c-55c91291d738",
"conditionalAccessStatus": "notApplied",
"originalRequestId": "df1b5b91-c9fc-4063-9bf1-96729ddfae00",
"isInteractive": true,
"tokenIssuerName": "",
"tokenIssuerType": "AzureAD",
"clientCredentialType": "none",
"processingTimeInMilliseconds": 363,
"riskDetail": "userPassedMFADrivenByRiskBasedPolicy",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "low",
"riskState": "remediated",
"riskEventTypes_v2": [
"anonymizedIPAddress"
],
"resourceDisplayName": "Microsoft Graph",
"resourceId": "00000003-0000-0000-c000-000000000000",
"resourceTenantId": "6312dfe9-cccc-4219-af94-2ab0e0b3b284",
"homeTenantId": "6312dfe9-cccc-4219-af94-2ab0e0b3b284",
"homeTenantName": "",
"authenticationMethodsUsed": [],
"authenticationRequirement": "multiFactorAuthentication",
"signInIdentifier": "",
"signInIdentifierType": null,
"servicePrincipalName": null,
"signInEventTypes": [
"interactiveUser"
],
"servicePrincipalId": "",
"federatedCredentialId": null,
"userType": "member",
"flaggedForReview": false,
"isTenantRestricted": false,
"autonomousSystemNumber": 9009,
"crossTenantAccessType": "none",
"servicePrincipalCredentialKeyId": null,
"servicePrincipalCredentialThumbprint": "",
"uniqueTokenIdentifier": "UTdtpWVGmUmapUwf8f3OAA",
"incomingTokenType": "none",
"authenticationProtocol": "deviceCode",
"resourceServicePrincipalId": "0a19e18e-567b-485",
"signInTokenProtectionStatus": "unbound",
"originalTransferMethod": "deviceCodeFlow",
"authenticationAppDeviceDetails": null,
"status": {
"errorCode": 0,
"failureReason": "Other.",
"additionalDetails": "MFA requirement satisfied by claim in the token"
},
"deviceDetail": {
"deviceId": "",
"displayName": "",
"operatingSystem": "Windows",
"browser": "Chrome 121.0.0",
"isCompliant": false,
"isManaged": false,
"trustType": ""
},
"location": {
"city": "Roma",
"state": "Roma",
"countryOrRegion": "IT",
"geoCoordinates": {
"altitude": null,
"latitude": 48.7755,
"longitude": 13.3063
}
},
"mfaDetail": {
"authMethod": null,
"authDetail": null
},
"appliedConditionalAccessPolicies": [
{
"id": "e460d57f-c088-48eb-b1df-ce34f7e4db71",
"displayName": "PolicyA",
"enforcedGrantControls": [
"Block"
],
"enforcedSessionControls": [],
"sessionControlsNotSatisfied": [],
"result": "notApplied",
"conditionsSatisfied": "none",
"conditionsNotSatisfied": "application",
"authenticationStrength": null,
"includeRulesSatisfied": [],
"excludeRulesSatisfied": []
}
],
"authenticationContextClassReferences": [],
"authenticationProcessingDetails": [
{
"key": "Root Key Type",
"value": "Unknown"
}
],
"networkLocationDetails": [],
"authenticationDetails": [
{
"authenticationStepDateTime": "2024-04-11T15:05:26Z",
"authenticationMethod": "Previously satisfied",
"authenticationMethodDetail": null,
"succeeded": true,
"authenticationStepResultDetail": "MFA requirement satisfied by claim in the token",
"authenticationStepRequirement": ""
}
],
"authenticationRequirementPolicies": [
{
"requirementProvider": "user",
"detail": "Per-user MFA"
}
],
"sessionLifetimePolicies": [],
"privateLinkDetails": {
"policyId": "",
"policyName": "",
"resourceId": "",
"policyTenantId": ""
},
"appliedEventListeners": [],
"authenticationAppPolicyEvaluationDetails": [],
"managedServiceIdentity": {
"msiType": "none",
"associatedResourceId": null,
"federatedTokenId": null,
"federatedTokenIssuer": null
}
}
The text was updated successfully, but these errors were encountered: