Techniques
Sample rules
Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration
- source: elastic
- technicques:
- T1069
- T1078
- T1087
- T1526
- T1528
Description
Correlates a successful Entra ID device-code sign-in to the legacy Azure AD Graph audience (00000002-0000-0000-c000-000000000000) from an unmanaged device with directory enumeration against graph.windows.net by the same user within a short window. Device-code phishing is the dominant OAuth phishing variant against Microsoft tenants: the adversary initiates the flow, relays the user-facing code to the victim, and on redemption walks away with an access or refresh token bound to the targeted resource without ever handling the user’s password or MFA factor. When the redeemed audience is AAD Graph and the redeeming device is unmanaged, the follow-on Graph traffic is the compromised cloud account being used by the attacker, not by the user. This rule fires when that token is immediately turned around against the directory under the same identity to read user, group, service principal, application, role assignment, directory object, policy, OAuth permission grant, or tenant detail collections.
Detection logic
sequence by user.id, azure.tenant_id with maxspan=5m
[authentication where
data_stream.dataset == "azure.signinlogs" and
event.outcome == "success" and
azure.signinlogs.properties.authentication_protocol == "deviceCode" and
azure.signinlogs.properties.device_detail.is_managed == false and
azure.signinlogs.properties.resource_id == "00000002-0000-0000-c000-000000000000"]
[web where
data_stream.dataset == "azure.aadgraphactivitylogs" and
url.path : (
"*/users*",
"*/groups*",
"*/servicePrincipals*",
"*/applications*",
"*/applicationRefs*",
"*/devices*",
"*/directoryRoles*",
"*/roleAssignments*",
"*/eligibleRoleAssignments*",
"*/roleDefinitions*",
"*/directoryObjects*",
"*/policies*",
"*/oauth2PermissionGrants*",
"*/administrativeUnits*",
"*/tenantDetails*",
"*/directorySettingTemplates*",
"*/me*"
)]