Description
Description
During OAuth phishing or post-compromise - a well equipped adversary may register a virtual cloud device in Entra ID and assign it to a user. This gives the adversary a PEM cert and private key that can then be used to exchange for a PRT. The PRT is then used as a token-granting token, where further activity - such as sign-ins reported for security token requests - will report that specific device ID. It is mainly used as persistence.
A New Terms detection rule where the device ID and user principal ID have not been seen together in a certain amount of time, should help surface these signals.
Target Ruleset
azure
Target Rule Type
New Terms
Tested ECS Version
No response
Query
event.dataset: "azure.signinlogs" and
event.category: "authentication" and
azure.signinlogs.properties.user_type: "Member" and
azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
not azure.signinlogs.properties.device_detail.device_id: "" and
azure.signinlogs.properties.user_principal_name: *
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
- https://github.com/elastic/ia-trade-team/issues/642
- https://github.com/elastic/ia-trade-team/issues/590
References
Redacted Example Data
No response