Techniques
Sample rules
Potential Azure Browser SSO Abuse
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_bgtaskhost:
Image|endswith: \BackgroundTaskHost.exe
Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
filter_optional_devenv:
Image|endswith: \IDE\devenv.exe
Image|startswith:
- C:\Program Files\Microsoft Visual Studio\
- C:\Program Files (x86)\Microsoft Visual Studio\
filter_optional_edge_1:
- Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\
- Image|endswith: \WindowsApps\MicrosoftEdge.exe
- Image:
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
- C:\Program Files\Microsoft\Edge\Application\msedge.exe
filter_optional_edge_2:
Image|endswith:
- \msedge.exe
- \msedgewebview2.exe
Image|startswith:
- C:\Program Files (x86)\Microsoft\EdgeCore\
- C:\Program Files\Microsoft\EdgeCore\
filter_optional_ie:
Image:
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
- C:\Program Files\Internet Explorer\iexplore.exe
filter_optional_null:
Image: null
filter_optional_onedrive:
Image|endswith: \AppData\Local\Microsoft\OneDrive\OneDrive.exe
selection:
ImageLoaded: C:\Windows\System32\MicrosoftAccountTokenProvider.dll