Potential Azure Browser SSO Abuse
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
Severity
Attention
Rule Requirement
Criteria
Action1: actionname = "sa_imageloaded" AND OBJECTNAME = "C:\Windows\System32\MicrosoftAccountTokenProvider.dll" AND (PROCESSNAME notstartswith "C:\Windows\System32\,C:\Windows\SysWOW64" OR PROCESSNAME notendswith "\BackgroundTaskHost.exe") AND ((PROCESSNAME notstartswith "C:\Program Files\Microsoft Visual Studio\,C:\Program Files (x86)\Microsoft Visual Studio" OR PROCESSNAME notendswith "\IDE\devenv.exe") AND PROCESSNAME != "C:\Program Files (x86)\Internet Explorer\iexplore.exe,C:\Program Files\Internet Explorer\iexplore.exe" AND (PROCESSNAME notstartswith "C:\Program Files (x86)\Microsoft\EdgeWebView\Application" AND PROCESSNAME notendswith "\WindowsApps\MicrosoftEdge.exe" AND PROCESSNAME != "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,C:\Program Files\Microsoft\Edge\Application\msedge.exe") AND (PROCESSNAME notstartswith "C:\Program Files (x86)\Microsoft\EdgeCore\,C:\Program Files\Microsoft\EdgeCore" OR PROCESSNAME notendswith "\msedge.exe,\msedgewebview2.exe") AND PROCESSNAME notendswith "\AppData\Local\Microsoft\OneDrive\OneDrive.exe" AND isExist(PROCESSNAME)) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME
Detection
Execution Mode
realtime
Log Sources
Active Directory
Author
Den Iuzvyk
