Detectionmediumtest

Applications That Are Using ROPC Authentication Flow

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark Morowczynski, Bailey BercikCreated Wed Jun 0155695bc0-c8cf-461f-a379-2535f563c854cloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        properties.message: ROPC
    condition: selection

False Positives

Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

55695bc0-c8cf-461f-a379-2535f563c854

Status

test

Level

medium

Type

Detection

Created

Wed Jun 01

Author

Mark Morowczynski, Bailey Bercik

Path

rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml

Raw Tags

attack.t1078attack.defense-evasionattack.persistenceattack.privilege-escalationattack.initial-access

View on GitHub