Rule Library
Sigma Rules
50 rules found for "Mark Morowczynski"
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Azuresigninlogs
T1078 · Valid AccountsTA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege Escalation+1
Mark Morowczynski+1Wed Jun 01cloud
Detectionmediumtest
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Azuresigninlogs
T1078 · Valid AccountsTA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege Escalation+1
Mark Morowczynski+1Wed Jun 01cloud