From c5dfffdac07085c90047288afc4342f6a181923b Mon Sep 17 00:00:00 2001
From: duzvik <denis@uzvik.kiev.ua>
Date: Wed, 15 Jul 2020 14:02:34 +0300
Subject: [PATCH 1/4] Create sysmon_abusing_azure_browser_sso.yml

---
 .../sysmon_abusing_azure_browser_sso.yml      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml

diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
new file mode 100644
index 000000000..29c060492
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
@@ -0,0 +1,27 @@
+title: Avusing Azure Browser SSO
+author: Den Iuzvyk
+description: Detects abusing  Azure Browser SSO by requesting  OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
+reference:
+- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+detection:
+  condition: selection_dll and not filter_legit
+  selection_dll:
+    EventID: 7
+    ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
+  filter_legit:
+    Image|endswith:
+    - BackgroundTaskHost.exe
+    - devenv.exe
+    - iexplore.exe
+    - MicrosoftEdge.exe
+falsepositives:
+- unknown
+level: high
+logsource:
+  category: sysmon
+  product: windows
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1073

From d24e15cc27b159abfed96c797b8761850c5a1f0b Mon Sep 17 00:00:00 2001
From: duzvik <denis@uzvik.kiev.ua>
Date: Wed, 15 Jul 2020 14:12:58 +0300
Subject: [PATCH 2/4] Update sysmon_abusing_azure_browser_sso.yml

---
 rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
index 29c060492..b8824ddfc 100644
--- a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
+++ b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
@@ -3,6 +3,8 @@ author: Den Iuzvyk
 description: Detects abusing  Azure Browser SSO by requesting  OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
 reference:
 - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+date:  2020/07/15
+id: 50f852e6-af22-4c78-9ede-42ef36aa3453
 detection:
   condition: selection_dll and not filter_legit
   selection_dll:

From a9b860d749d6a32f38ca85ee797bfbc79643b239 Mon Sep 17 00:00:00 2001
From: duzvik <denis@uzvik.kiev.ua>
Date: Wed, 15 Jul 2020 14:24:49 +0300
Subject: [PATCH 3/4] Update sysmon_abusing_azure_browser_sso.yml

---
 rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
index b8824ddfc..023a308a6 100644
--- a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
+++ b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
@@ -3,7 +3,7 @@ author: Den Iuzvyk
 description: Detects abusing  Azure Browser SSO by requesting  OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
 reference:
 - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
-date:  2020/07/15
+date: 2020/07/15
 id: 50f852e6-af22-4c78-9ede-42ef36aa3453
 detection:
   condition: selection_dll and not filter_legit

From 61a05ee054459dd3de2fe825454714d3f80158ef Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 12 Aug 2020 16:44:37 +0200
Subject: [PATCH 4/4] reordered fields, changed indentation

---
 .../sysmon_abusing_azure_browser_sso.yml      | 48 +++++++++----------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
index 023a308a6..2a25beefd 100644
--- a/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
+++ b/rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
@@ -1,29 +1,29 @@
 title: Avusing Azure Browser SSO
-author: Den Iuzvyk
-description: Detects abusing  Azure Browser SSO by requesting  OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
-reference:
-- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
-date: 2020/07/15
 id: 50f852e6-af22-4c78-9ede-42ef36aa3453
-detection:
-  condition: selection_dll and not filter_legit
-  selection_dll:
-    EventID: 7
-    ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
-  filter_legit:
-    Image|endswith:
-    - BackgroundTaskHost.exe
-    - devenv.exe
-    - iexplore.exe
-    - MicrosoftEdge.exe
-falsepositives:
-- unknown
-level: high
+description: Detects abusing  Azure Browser SSO by requesting  OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
+author: Den Iuzvyk
+reference:
+   - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+date: 2020/07/15
 logsource:
-  category: sysmon
-  product: windows
+   category: sysmon
+   product: windows
 status: experimental
 tags:
-- attack.defense_evasion
-- attack.privilege_escalation
-- attack.t1073
+   - attack.defense_evasion
+   - attack.privilege_escalation
+   - attack.t1073
+detection:
+   condition: selection_dll and not filter_legit
+   selection_dll:
+      EventID: 7
+      ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
+   filter_legit:
+      Image|endswith:
+         - BackgroundTaskHost.exe
+         - devenv.exe
+         - iexplore.exe
+         - MicrosoftEdge.exe
+falsepositives:
+   - unknown
+level: high