Skip to content

[New Rule] Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration #6181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
terrancedejesus wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[New Rule] Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration #6181

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
85271af
[New Rule] Entra ID OAuth Device Code Sign-in to Azure AD Graph Enume…
terrancedejesus May 22, 2026
9e3c9e3
adding min-stack
terrancedejesus Jun 1, 2026
6a94617
Merge branch 'main' into new-rule/azure-ad-graph-device-code-to-enum
terrancedejesus Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
224 changes: 224 additions & 0 deletions rules/integrations/azure/credential_access_device_code_signin_aad_graph_enum.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,224 @@
[metadata]
creation_date = "2026/05/22"
integration = ["azure"]
maturity = "production"
min_stack_version = "9.2.0"
min_stack_comments = "azure.aadgraphactivitylogs backports to 8.19.10 only."
updated_date = "2026/05/22"

[rule]
author = ["Elastic"]
description = """
Correlates a successful Entra ID device-code sign-in to the legacy Azure AD Graph audience
(00000002-0000-0000-c000-000000000000) from an unmanaged device with directory enumeration against graph.windows.net by
the same user within a short window. Device-code phishing is the dominant OAuth phishing variant against Microsoft
tenants: the adversary initiates the flow, relays the user-facing code to the victim, and on redemption walks away with
an access or refresh token bound to the targeted resource without ever handling the user's password or MFA factor. When
the redeemed audience is AAD Graph and the redeeming device is unmanaged, the follow-on Graph traffic is the compromised
cloud account being used by the attacker, not by the user. This rule fires when that token is immediately turned around
against the directory under the same identity to read user, group, service principal, application, role assignment,
directory object, policy, OAuth permission grant, or tenant detail collections.
"""
false_positives = [
"""
Authorized red team or audit activity (ROADrecon, ROADtools, AADInternals, roadtx). Document the engagement window
and add exceptions on the calling user.
""",
"""
A developer or operator legitimately running first-party tooling under the device-code flow that then enumerates
directory objects during onboarding or troubleshooting. Validate the calling app and source IP and exclude as
appropriate.
""",
]
from = "now-9m"
index = ["logs-azure.signinlogs-*", "logs-azure.aadgraphactivitylogs-*"]
language = "eql"
license = "Elastic License v2"
name = "Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration"
note = """## Triage and analysis

### Investigating Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration

Device-code phishing redeems an OAuth access token directly into the adversary's hands without
ever touching the victim's password or MFA factor. When the redemption targets the legacy AAD
Graph audience from an unmanaged device, the resulting token is overwhelmingly used to drive
directory recon under the compromised identity. ROADrecon / ROADtools, AADInternals
(`Get-AADIntTenantDetails`, `Get-AADIntUsers`), and manual `roadtx` flows all match this shape.

### Possible investigation steps

- Confirm the sign-in shape.
- `azure.signinlogs.properties.authentication_protocol` is `deviceCode`.
- `azure.signinlogs.properties.resource_id` is `00000002-0000-0000-c000-000000000000` (legacy AAD Graph audience).
- `azure.signinlogs.properties.device_detail.is_managed` is `false`.
- Identify the calling client used to drive the device-code grant.
- `azure.signinlogs.properties.app_id`, `azure.signinlogs.properties.app_display_name`.
- FOCI / pre-consented Microsoft clients (Teams, Office, Azure CLI, Azure PowerShell) are the canonical ride-along clients for device-code phishing because they bypass app consent.
- Review source posture for the redemption and the Graph follow-on independently.
- `source.ip`, `source.as.organization.name`, `source.geo.country_name`. Residential / VPS / anonymising-network egress raises priority.
- A code redeemed from one IP and Graph driven from another is a strong adversary-in-the-middle signal: the user clicked, the attacker is now driving the session.
- Review what was queried on the Graph side.
- `url.path` on the second event. `applicationRefs`, `eligibleRoleAssignments`, and `directoryObjects` casts (`$/Microsoft.DirectoryServices.ServicePrincipal`) are the textbook ROADrecon signature; `tenantDetails` from an `AADInternals` user-agent is the AADInternals signature.
- Check the API version on the Graph call.
- `azure.aadgraphactivitylogs.properties.api_version`. `1.61-internal` is a strong tooling indicator and returns data the public surface withholds (Conditional Access policies, MFA configuration on user objects).
- Pivot to surrounding sign-ins for the same user. Other device-code redemptions to Microsoft Graph, Azure Resource Manager, or Exchange in the same window suggest the attacker is multi-homing the token harvest.
- Confirm the activity is not attributable to authorized testing before treating as malicious.

### Response and remediation

- Revoke refresh tokens and active sessions for the compromised user.
- `POST /v1.0/users/{id}/revokeSignInSessions`.
- Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.
- `PATCH /v1.0/users/{id}` with body `{"accountEnabled": false}`.
- Check for device registrations created by the user during or around the burst window and remove rogue devices.
- `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}`.
- Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`.
- If the calling application has no legitimate AAD Graph dependency, block further use by that app.
- `PATCH /beta/applications/{id}` with body `{"authenticationBehaviors": {"blockAzureADGraphAccess": true}}`.
- This property lives on the Graph beta endpoint, not v1.0.
- Apply Conditional Access targeting the device-code grant: require a managed / compliant device or block the device-code grant outside of explicitly approved app + user populations.
"""
references = [
"https://github.com/dirkjanm/ROADtools",
"https://github.com/Gerenios/AADInternals",
"https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview",
]
risk_score = 73
rule_id = "aa04377a-19b5-4940-952f-aad173790d23"
setup = """#### Microsoft Entra ID Sign-in Logs and Azure AD Graph Activity Logs
Requires both data streams ingested via the Elastic Azure integration:
- Microsoft Entra ID sign-in logs into `logs-azure.signinlogs-*` (enable the `SignInLogs` diagnostic-settings category on Entra ID).
- Azure AD Graph Activity Logs into `logs-azure.aadgraphactivitylogs-*` (enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID).
"""
severity = "high"
tags = [
"Domain: Cloud",
"Domain: Identity",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Sign-in Logs",
"Data Source: Azure AD Graph",
"Data Source: Azure AD Graph Activity Logs",
"Use Case: Identity and Access Audit",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Initial Access",
"Tactic: Discovery",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence by user.id, azure.tenant_id with maxspan=5m
[authentication where
data_stream.dataset == "azure.signinlogs" and
event.outcome == "success" and
azure.signinlogs.properties.authentication_protocol == "deviceCode" and
azure.signinlogs.properties.device_detail.is_managed == false and
azure.signinlogs.properties.resource_id == "00000002-0000-0000-c000-000000000000"]
[web where
data_stream.dataset == "azure.aadgraphactivitylogs" and
url.path : (
"*/users*",
"*/groups*",
"*/servicePrincipals*",
"*/applications*",
"*/applicationRefs*",
"*/devices*",
"*/directoryRoles*",
"*/roleAssignments*",
"*/eligibleRoleAssignments*",
"*/roleDefinitions*",
"*/directoryObjects*",
"*/policies*",
"*/oauth2PermissionGrants*",
"*/administrativeUnits*",
"*/tenantDetails*",
"*/directorySettingTemplates*",
"*/me*"
)]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1528"
name = "Steal Application Access Token"
reference = "https://attack.mitre.org/techniques/T1528/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"



[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique.subtechnique]]
id = "T1069.003"
name = "Cloud Groups"
reference = "https://attack.mitre.org/techniques/T1069/003/"


[[rule.threat.technique]]
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.004"
name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1087/004/"


[[rule.threat.technique]]
id = "T1526"
name = "Cloud Service Discovery"
reference = "https://attack.mitre.org/techniques/T1526/"


[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"

[rule.investigation_fields]
field_names = [
"user.id",
"azure.tenant_id",
"azure.signinlogs.properties.user_principal_name",
"azure.signinlogs.properties.app_id",
"azure.signinlogs.properties.app_display_name",
"azure.signinlogs.properties.resource_id",
"azure.signinlogs.properties.authentication_protocol",
"azure.signinlogs.properties.device_detail.is_managed",
"azure.aadgraphactivitylogs.properties.app_id",
"azure.aadgraphactivitylogs.properties.api_version",
"url.path",
"user_agent.original",
"source.ip",
"source.as.organization.name",
"source.geo.country_name",
]

Loading