From b462624dee0a0b4f7844ae25efea153acfa42fb7 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 8 Jan 2025 11:15:37 -0500 Subject: [PATCH 1/4] New Rule: Azure Login Bypassing Conditional Access Policies --- ...microsoft365_bypass_conditional_access.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml new file mode 100644 index 00000000000..218c2ce03d4 --- /dev/null +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -0,0 +1,30 @@ +title: Azure Login Bypassing Conditional Access Policies +id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc +status: test +description: | + Identifies a successful login to the Microsoft Intune Company Portal which could allow + bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith +author: Josh Nickels, Marius Rothenbücher +references: + - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/ + - https://github.com/JumpsecLabs/TokenSmith +date: 2025-01-08 +logsource: + service: audit + product: m365 +detection: + selection_auth: + Operation: 'UserLoggedIn' + ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223' + ResultStatus: 'Success' + RequestType: 'Cmsi:Cmsi' + filter_objectid: + ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled + condition: selection_auth and not filter_objectid +falsepositives: + - Unknown +level: high +tags: + - attack.defense-evasion + - attack.t1078 + From 5cdc148d2ba78753c60887a18dd1c9cd94c59908 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 8 Jan 2025 12:36:45 -0500 Subject: [PATCH 2/4] Update rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../cloud/m365/audit/microsoft365_bypass_conditional_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml index 218c2ce03d4..ba5cd60e6b0 100644 --- a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -1,6 +1,6 @@ title: Azure Login Bypassing Conditional Access Policies id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc -status: test +status: experimental description: | Identifies a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith From 61c0beacd3e339fe4353c9d52bb3db9f46fdcce7 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 8 Jan 2025 12:37:01 -0500 Subject: [PATCH 3/4] Update rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../m365/audit/microsoft365_bypass_conditional_access.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml index ba5cd60e6b0..faddec530b4 100644 --- a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -9,6 +9,9 @@ references: - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/ - https://github.com/JumpsecLabs/TokenSmith date: 2025-01-08 +tags: + - attack.defense-evasion + - attack.t1078 logsource: service: audit product: m365 From e92b998ea310ea3ada99ff5a525062d90d8890c9 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 8 Jan 2025 12:37:16 -0500 Subject: [PATCH 4/4] Update rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../m365/audit/microsoft365_bypass_conditional_access.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml index faddec530b4..7b84d6d44d2 100644 --- a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -27,7 +27,4 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense-evasion - - attack.t1078