Detectionmediumtest

Application Using Device Code Authentication Flow

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark Morowczynski, Bailey BercikCreated Wed Jun 01248649b7-d64f-46f0-9fb2-a52774166fb5cloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        properties.message: Device Code
    condition: selection

False Positives

Applications that are input constrained will need to use device code flow and are valid authentications.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

248649b7-d64f-46f0-9fb2-a52774166fb5

Status

test

Level

medium

Type

Detection

Created

Wed Jun 01

Author

Mark Morowczynski, Bailey Bercik

Path

rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml

Raw Tags

attack.t1078attack.defense-evasionattack.persistenceattack.privilege-escalationattack.initial-access

View on GitHub