New Rule: Azure Login Bypassing Conditional Access Policies

SigmaHQ · Jan 8, 2025 · b462624 · b462624
1 parent bd2a4c3
commit b462624
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml
@@ -0,0 +1,30 @@
+title: Azure Login Bypassing Conditional Access Policies
+id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
+status: test
+description: |
+    Identifies a successful login to the Microsoft Intune Company Portal which could allow
+    bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith
+author: Josh Nickels, Marius Rothenbücher
+references:
+    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
+    - https://github.com/JumpsecLabs/TokenSmith
+date: 2025-01-08
+logsource:
+    service: audit
+    product: m365
+detection:
+    selection_auth:
+        Operation: 'UserLoggedIn'
+        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
+        ResultStatus: 'Success'
+        RequestType: 'Cmsi:Cmsi'
+    filter_objectid:
+        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
+    condition: selection_auth and not filter_objectid
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense-evasion
+    - attack.t1078
+