From b462624dee0a0b4f7844ae25efea153acfa42fb7 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 8 Jan 2025 11:15:37 -0500 Subject: [PATCH] New Rule: Azure Login Bypassing Conditional Access Policies --- ...microsoft365_bypass_conditional_access.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml new file mode 100644 index 00000000000..218c2ce03d4 --- /dev/null +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -0,0 +1,30 @@ +title: Azure Login Bypassing Conditional Access Policies +id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc +status: test +description: | + Identifies a successful login to the Microsoft Intune Company Portal which could allow + bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith +author: Josh Nickels, Marius Rothenbücher +references: + - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/ + - https://github.com/JumpsecLabs/TokenSmith +date: 2025-01-08 +logsource: + service: audit + product: m365 +detection: + selection_auth: + Operation: 'UserLoggedIn' + ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223' + ResultStatus: 'Success' + RequestType: 'Cmsi:Cmsi' + filter_objectid: + ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled + condition: selection_auth and not filter_objectid +falsepositives: + - Unknown +level: high +tags: + - attack.defense-evasion + - attack.t1078 +