Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Potential Azure Browser SSO Abuse

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Den IuzvykCreated Wed Jul 15Updated Tue Apr 1850f852e6-af22-4c78-9ede-42ef36aa3453windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic8 selectors
detection:
    selection:
        ImageLoaded: 'C:\Windows\System32\MicrosoftAccountTokenProvider.dll'
    filter_main_bgtaskhost:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
        Image|endswith: '\BackgroundTaskHost.exe'
        # CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider'
    filter_optional_devenv:
        Image|startswith:
            - 'C:\Program Files\Microsoft Visual Studio\'
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
        Image|endswith: '\IDE\devenv.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_onedrive:
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
    filter_optional_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity

References
1
Resolving title…
posts.specterops.io
MITRE ATT&CK
Rule Metadata
Rule ID
50f852e6-af22-4c78-9ede-42ef36aa3453
Status
test
Level
low
Type
Detection
Created
Wed Jul 15
Modified
Tue Apr 18
Author
Den Iuzvyk
Path
rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001
View on GitHub