From b0d3d7d960f759897fdb45ea5d7ddbbfbbf029d1 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Sun, 21 Dec 2025 16:30:32 -0500 Subject: [PATCH] [Rule Tuning] Entra ID OAuth PRT Issuance to Non-Managed Device Detected (#5464) * [Rule Tuning] Entra ID OAuth PRT Issuance to Non-Managed Device Detected Fixes #5463 * Adjusted description in investigation guide --- ...d_rt_to_prt_transition_from_user_device.toml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index f80f0839d..b1eac4dbf 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,13 +2,13 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2025/12/15" [rule] author = ["Elastic"] description = """ Identifies when a user signs in with a refresh token using the Microsoft Authentication Broker (MAB) client, followed by -a Primary Refresh Token (PRT) sign-in from the same device within 1 hour. This pattern may indicate that an attacker has +a Primary Refresh Token (PRT) sign-in from the same device within 1 hour from an unmanaged device. This pattern may indicate that an attacker has successfully registered a device using ROADtx and transitioned from short-term token access to long-term persistent access via PRTs. Excluding access to the Device Registration Service (DRS) ensures the PRT is being used beyond registration, often to access Microsoft 365 resources like Outlook or SharePoint. @@ -18,12 +18,12 @@ index = ["filebeat-*", "logs-azure.signinlogs-*"] interval = "30m" language = "eql" license = "Elastic License v2" -name = "Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected" +name = "Entra ID OAuth PRT Issuance to Non-Managed Device Detected" note = """## Triage and analysis -### Investigating Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected +### Investigating Entra ID OAuth PRT Issuance to Non-Managed Device Detected -This rule identifies a sequence where a Microsoft Entra ID user signs in using a refresh token issued to the Microsoft Authentication Broker (MAB), followed by a sign-in using a Primary Refresh Token (PRT) from the same device. This behavior is uncommon for normal user activity and strongly suggests adversarial behavior, particularly when paired with OAuth phishing and device registration tools like ROADtx. The use of PRT shortly after a refresh token sign-in typically indicates the attacker has obtained device trust and is now using the PRT to impersonate a fully compliant user+device pair. +This rule identifies a sequence where a Microsoft Entra ID authenticates using a refresh token issued to the Microsoft Authentication Broker (MAB), followed by an authentication using a Primary Refresh Token (PRT) from the same unmanaged device. This behavior is uncommon for normal user activity and strongly suggests adversarial behavior, particularly when paired with OAuth phishing and device registration tools like ROADtx. The use of PRT shortly after a refresh token sign-in typically indicates the attacker has registered a virtual device and is now using the PRT to impersonate a registered user+device pair. The device in question is still marked as unmanaged, indicating it is not compliant with organizational policies and managed by Intune or other MDM solutions. ### Possible investigation steps - Identify the user principal and device from `azure.signinlogs.properties.user_principal_name` and `azure.signinlogs.properties.device_detail.device_id`. @@ -83,7 +83,12 @@ sequence by azure.signinlogs.properties.user_id, azure.signinlogs.properties.dev event.dataset == "azure.signinlogs" and azure.signinlogs.properties.incoming_token_type == "primaryRefreshToken" and azure.signinlogs.properties.resource_display_name != "Device Registration Service" and - azure.signinlogs.result_signature == "SUCCESS" + azure.signinlogs.result_signature == "SUCCESS" and + azure.signinlogs.properties.device_detail.is_managed != true + and not ( + azure.signinlogs.properties.app_display_name == "Windows Sign In" or + user_agent.original == "Windows-AzureAD-Authentication-Provider/1.0" + ) ] '''