{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/prt/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure","Entra ID"],"_cs_severities":["medium"],"_cs_tags":["azure","entra-id","device-code-authentication","prt"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThreat actors are exploiting the device code authentication flow in Entra ID to compromise Primary Refresh Tokens (PRTs) and bypass multi-factor authentication (MFA). This involves the use of a malicious or compromised broker client application with the ID \u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e. By successfully authenticating with this broker client, attackers can obtain valid PRTs, which are then used to access Azure resources without triggering MFA. This technique allows them to circumvent Conditional Access policies that rely on device-based controls. Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the Azure environment, and potential data exfiltration. This activity is typically observed in Azure Sign-In logs and Activity logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker compromises user credentials via phishing or other means (not specified in source, but implied).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDevice Code Authentication Initiation:\u003c/strong\u003e The attacker initiates the device code authentication flow using the compromised credentials and a malicious application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Broker Client Application:\u003c/strong\u003e The attacker uses a broker client application with the specific application ID \u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDevice Code Presentation:\u003c/strong\u003e The user is prompted to enter a code on a separate device to authenticate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePRT Acquisition:\u003c/strong\u003e Upon successful device code authentication, the attacker obtains a valid Primary Refresh Token (PRT).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass MFA \u0026amp; Conditional Access:\u003c/strong\u003e The PRT allows the attacker to bypass multi-factor authentication and Conditional Access policies that rely on device compliance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access:\u003c/strong\u003e The attacker uses the PRT to access protected Azure resources and services without proper authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration:\u003c/strong\u003e The attacker moves laterally within the Azure environment or exfiltrates sensitive data, leveraging the unauthorized access gained through the compromised PRT.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass multi-factor authentication and gain unauthorized access to Azure resources, leading to potential data breaches and lateral movement within the cloud environment. The impact includes unauthorized access to sensitive data, circumvention of device-based Conditional Access controls, and the potential for data exfiltration. The number of affected users and the scope of data breaches depend on the permissions associated with the compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID OAuth Device Code Grant by Microsoft Authentication Broker\u0026quot; to detect successful sign-ins using device code authentication with the specified broker client application ID in your Azure environment.\u003c/li\u003e\n\u003cli\u003eInvestigate and revoke any Primary Refresh Tokens (PRTs) associated with the broker client application ID \u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e where unauthorized access is suspected.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Sign-In logs (\u003ccode\u003elogs-azure.signinlogs-*\u003c/code\u003e) and Activity logs (\u003ccode\u003elogs-azure.activitylogs-*\u003c/code\u003e) for device code authentication events (\u003ccode\u003eazure.signinlogs.properties.authentication_protocol:deviceCode\u003c/code\u003e) associated with the malicious broker client.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies that enforce device compliance checks and restrict access to trusted locations or devices to mitigate the risk of PRT abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-15T18:22:00Z","date_published":"2024-11-15T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-entra-id-device-code-auth/","summary":"Adversaries are abusing Entra ID device code authentication using a malicious broker client to bypass MFA and gain unauthorized access to Azure resources by compromising Primary Refresh Tokens (PRTs).","title":"Entra ID Device Code Authentication Abuse via Malicious Broker Client","url":"https://feed.craftedsignal.io/briefs/2024-11-entra-id-device-code-auth/"}],"language":"en","title":"CraftedSignal Threat Feed - Prt","version":"https://jsonfeed.org/version/1.1"}