<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Device-Code-Authentication - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/device-code-authentication/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 15 Nov 2024 18:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/device-code-authentication/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID Device Code Authentication Abuse via Malicious Broker Client</title><link>https://feed.craftedsignal.io/briefs/2024-11-entra-id-device-code-auth/</link><pubDate>Fri, 15 Nov 2024 18:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-entra-id-device-code-auth/</guid><description>Adversaries are abusing Entra ID device code authentication using a malicious broker client to bypass MFA and gain unauthorized access to Azure resources by compromising Primary Refresh Tokens (PRTs).</description><content:encoded><![CDATA[<p>Threat actors are exploiting the device code authentication flow in Entra ID to compromise Primary Refresh Tokens (PRTs) and bypass multi-factor authentication (MFA). This involves the use of a malicious or compromised broker client application with the ID <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code>. By successfully authenticating with this broker client, attackers can obtain valid PRTs, which are then used to access Azure resources without triggering MFA. This technique allows them to circumvent Conditional Access policies that rely on device-based controls. Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the Azure environment, and potential data exfiltration. This activity is typically observed in Azure Sign-In logs and Activity logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> The attacker compromises user credentials via phishing or other means (not specified in source, but implied).</li>
<li><strong>Device Code Authentication Initiation:</strong> The attacker initiates the device code authentication flow using the compromised credentials and a malicious application.</li>
<li><strong>Malicious Broker Client Application:</strong> The attacker uses a broker client application with the specific application ID <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code>.</li>
<li><strong>Device Code Presentation:</strong> The user is prompted to enter a code on a separate device to authenticate.</li>
<li><strong>PRT Acquisition:</strong> Upon successful device code authentication, the attacker obtains a valid Primary Refresh Token (PRT).</li>
<li><strong>Bypass MFA &amp; Conditional Access:</strong> The PRT allows the attacker to bypass multi-factor authentication and Conditional Access policies that rely on device compliance.</li>
<li><strong>Resource Access:</strong> The attacker uses the PRT to access protected Azure resources and services without proper authorization.</li>
<li><strong>Lateral Movement/Data Exfiltration:</strong> The attacker moves laterally within the Azure environment or exfiltrates sensitive data, leveraging the unauthorized access gained through the compromised PRT.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to bypass multi-factor authentication and gain unauthorized access to Azure resources, leading to potential data breaches and lateral movement within the cloud environment. The impact includes unauthorized access to sensitive data, circumvention of device-based Conditional Access controls, and the potential for data exfiltration. The number of affected users and the scope of data breaches depend on the permissions associated with the compromised accounts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Entra ID OAuth Device Code Grant by Microsoft Authentication Broker&quot; to detect successful sign-ins using device code authentication with the specified broker client application ID in your Azure environment.</li>
<li>Investigate and revoke any Primary Refresh Tokens (PRTs) associated with the broker client application ID <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code> where unauthorized access is suspected.</li>
<li>Monitor Azure Sign-In logs (<code>logs-azure.signinlogs-*</code>) and Activity logs (<code>logs-azure.activitylogs-*</code>) for device code authentication events (<code>azure.signinlogs.properties.authentication_protocol:deviceCode</code>) associated with the malicious broker client.</li>
<li>Implement Conditional Access policies that enforce device compliance checks and restrict access to trusted locations or devices to mitigate the risk of PRT abuse.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>entra-id</category><category>device-code-authentication</category><category>prt</category></item></channel></rss>