LoFP / this detection is low-volume and is seen infrequently in most organizations. when this detection appears it's high risk, and users should be remediated.

Techniques

• t1528

Sample rules

Primary Refresh Token Access Attempt

• source: sigma
• technicques:
  • t1528

Description

Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft

Detection logic

condition: selection
selection:
  riskEventType: attemptedPrtAccess