<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ropc - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ropc/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 17 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ropc/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID Unusual ROPC Login Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-entra-id-ropc/</link><pubDate>Wed, 17 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-entra-id-ropc/</guid><description>Detects unusual resource owner password credential (ROPC) login attempts by a user principal in Microsoft Entra ID, potentially indicating account compromise or password spraying.</description><content:encoded><![CDATA[<p>This detection identifies unusual Resource Owner Password Credentials (ROPC) login attempts within Microsoft Entra ID. ROPC is a legacy OAuth 2.0 flow where applications obtain tokens by directly providing user credentials, a method less secure than modern alternatives. Adversaries exploit ROPC to bypass multi-factor authentication (MFA) and gain unauthorized access to user accounts. The rule specifically focuses on detecting first-time ROPC usage by a user principal within a 10-day window, indicating potential enumeration, password spraying, or use of compromised credentials. Successful ROPC logins without MFA are a red flag. This activity is typically associated with account takeover attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains initial access by obtaining valid user credentials through phishing, password spraying, or credential stuffing.</li>
<li><strong>Bypass MFA:</strong> The attacker leverages the ROPC flow to bypass MFA, as ROPC does not inherently require or support it.</li>
<li><strong>Application Enumeration:</strong> The attacker uses tools like TeamFiltration or custom scripts to enumerate available applications and resources accessible with the compromised account.</li>
<li><strong>Token Acquisition:</strong> The attacker's application or script requests an access token from Entra ID using the compromised credentials and the ROPC grant type.</li>
<li><strong>Resource Access:</strong> With a valid access token, the attacker accesses sensitive resources such as Exchange Online, SharePoint, or Teams, depending on the permissions granted to the application and user.</li>
<li><strong>Lateral Movement:</strong> The attacker uses the initial access to move laterally within the Entra ID environment, targeting additional user accounts or resources.</li>
<li><strong>Data Exfiltration:</strong> The attacker exfiltrates sensitive data from accessed resources, such as emails, documents, or application data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to gain unauthorized access to user accounts and sensitive resources within the Microsoft Entra ID environment. This can lead to data breaches, financial loss, and reputational damage. The ROPC flow, when abused, circumvents MFA protections, increasing the risk of successful account takeover. Organizations may experience data exfiltration, business email compromise, or disruption of cloud services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Entra ID OAuth ROPC Grant Login Detected&quot; to your SIEM and tune for your environment to identify unusual ROPC login attempts (see rule below).</li>
<li>Review the <code>azure.signinlogs.properties.user_principal_name</code> field from the logs to identify the users involved in ROPC login attempts.</li>
<li>Investigate the source of the ROPC login attempt, including the application (<code>azure.signinlogs.properties.app_display_name</code>) and IP address (<code>azure.signinlogs.properties.client_ip</code>) by enabling Azure Sign-In Logs.</li>
<li>Enforce multi-factor authentication (MFA) for all users and applications, and restrict the use of ROPC where possible.</li>
<li>Monitor for suspicious activity, such as unusual login locations or access to sensitive resources.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>azure</category><category>entra-id</category><category>ropc</category><category>initial-access</category></item></channel></rss>