LoFP LoFP / authorized red team or audit activity (roadrecon, roadtools, aadinternals, roadtx). document the engagement window and add exceptions on the calling user.

Techniques

Sample rules

Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration

Description

Correlates a successful Entra ID device-code sign-in to the legacy Azure AD Graph audience (00000002-0000-0000-c000-000000000000) from an unmanaged device with directory enumeration against graph.windows.net by the same user within a short window. Device-code phishing is the dominant OAuth phishing variant against Microsoft tenants: the adversary initiates the flow, relays the user-facing code to the victim, and on redemption walks away with an access or refresh token bound to the targeted resource without ever handling the user’s password or MFA factor. When the redeemed audience is AAD Graph and the redeeming device is unmanaged, the follow-on Graph traffic is the compromised cloud account being used by the attacker, not by the user. This rule fires when that token is immediately turned around against the directory under the same identity to read user, group, service principal, application, role assignment, directory object, policy, OAuth permission grant, or tenant detail collections.

Detection logic

sequence by user.id, azure.tenant_id with maxspan=5m
[authentication where
    data_stream.dataset == "azure.signinlogs" and
    event.outcome == "success" and
    azure.signinlogs.properties.authentication_protocol == "deviceCode" and
    azure.signinlogs.properties.device_detail.is_managed == false and
    azure.signinlogs.properties.resource_id == "00000002-0000-0000-c000-000000000000"]
[web where
    data_stream.dataset == "azure.aadgraphactivitylogs" and
    url.path : (
        "*/users*",
        "*/groups*",
        "*/servicePrincipals*",
        "*/applications*",
        "*/applicationRefs*",
        "*/devices*",
        "*/directoryRoles*",
        "*/roleAssignments*",
        "*/eligibleRoleAssignments*",
        "*/roleDefinitions*",
        "*/directoryObjects*",
        "*/policies*",
        "*/oauth2PermissionGrants*",
        "*/administrativeUnits*",
        "*/tenantDetails*",
        "*/directorySettingTemplates*",
        "*/me*"
    )]