LoFP / users on vpns, carrier nat, or cloud egress that map to flagged asns may match. legitimate bulk enrollment or scripted onboarding that uses the same oauth client can also produce the sequence. baseline `source.as.organization.name` and successful registration sources before adding exclusions.

Techniques

• T1098
• T1566

Sample rules

Google Workspace Device Registration After OAuth from Suspicious ASN

• source: elastic
• technicques:
  • T1098
  • T1566

Description

Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or residential-proxy infrastructure after a user authorizes a sensitive client.

Detection logic

sequence by user.name with maxspan=30s
  [iam where data_stream.dataset == "google_workspace.token" and event.action == "authorize" and
      google_workspace.token.client.id == "77185425430.apps.googleusercontent.com" and
      source.as.number in (9009, 45102, 215540, 29802, 62240, 204957, 395092)]
  [any where data_stream.dataset == "google_workspace.device" and google_workspace.device.account_state == "REGISTERED"]