Detectionhightest

Primary Refresh Token Access Attempt

Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark Morowczynski, Gloria LeeCreated Thu Sep 07a84fc3b1-c9ce-4125-8e74-bdcdb24021f1cloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'attemptedPrtAccess'
    condition: selection

False Positives

This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1528 · Steal Application Access Token

Rule Metadata

Rule ID

a84fc3b1-c9ce-4125-8e74-bdcdb24021f1

Status

test

Level

high

Type

Detection

Created

Thu Sep 07

Author

Mark Morowczynski, Gloria Lee

Path

rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml

Raw Tags

attack.t1528attack.credential-access

View on GitHub