security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update sysmon_abusing_azure_browser_sso.yml

Browse Source
This commit is contained in:
duzvik
2020-07-15 14:24:49 +03:00
committed by GitHub
parent d24e15cc27
commit a9b860d749
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_abusing_azure_browser_sso.yml
+1 -1
View File
@@ -3,7 +3,7 @@ author: Den Iuzvyk
description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
reference:
- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
date: 2020/07/15
date: 2020/07/15
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
detection:
condition: selection_dll and not filter_legit