Skip to content

Latest commit

 

History

History
113 lines (83 loc) · 3.67 KB

T1036-Azure-001.md

File metadata and controls

113 lines (83 loc) · 3.67 KB
Raw

Note: You are viewing an old, archived version of this content. The latest version is available in the 'main' branch.

Azure_AD_UserAgent_OS_Missmatch

Metadata

ID: Azure_AD_UserAgent_OS_Missmatch

OS: N/A

FP Rate: Medium

ATT&CK Tags

Tactics: TA0005 - Defense Evasion

Technique Subtechnique Technique Name
T1036 Masquerading

Utilized Data Sources

Log Provider Event ID Event Name ATT&CK Data Source
AzureAD_SigninLog

Technical description of the attack

​The query extracts the operating system from the UserAgent header and compares this to the DeviceDetail information present in Azure Active Directory.

Permission required to execute the technique

User

Detection description

An attacker might be able to steal an access token for a particular device and use that to use Azure AD apps on another device, bypassing certain restrictions.

Considerations

None.

False Positives

Users might use a plugin to hide their true UserAgent this might lead to false positives. Also there are some applications that incorrectly report the OS in the UserAgent header, for example Mobile Safari when using the 'request desktop site' feature.

Suggested Response Actions

Verify with the user whether there is a legitimate reason for using this particular UserAgent in combination with the app.

Detection Blind Spots

If the attacker fully mimics the user agent of the actual application this rule will not be able to detect it.

References

Detection

Language: Kusto

Platform: Sentinel

Query:

let timeframe = 1d;
let ExtractOSFromUA=(ua:string) {
    case(
        ua contains "Windows NT 6.0", "Windows Vista/Windows Server 2008",
        ua contains "Windows NT 6.1", "Windows 7/Windows Server 2008R2",
        ua contains "Windows NT 6.1", "Windows 7/Windows Server 2008",
        ua contains "Windows NT 6.2", "Windows 8/Windows Server 2012",
        ua contains "Windows NT 6.3", "Windows 8.1/Windows Server 2012R2",
        ua contains "Windows NT 10.0", "Windows 10",
        ua contains "Windows Phone", "WindowsPhone",
        ua contains "Android", "Android",
        ua contains "iPhone;", "IOS",
        ua contains "iPad;", "IOS",
        ua contains "Polycom/", "Polycom",
        ua contains "Darwin/", "MacOS",
        ua contains "Mac OS X", "MacOS",
        ua contains "macOS", "MacOS",
        ua contains "ubuntu", "Linux",
        ua contains "Linux", "Linux",
        ua contains "curl", "CLI",
        ua contains "python", "CLI",
        "Unknown"
    )
};
// Query to obtain 'simplified' user agents in a given timespan
union withsource=tbl_name AADNonInteractiveUserSignInLogs, SigninLogs
| where TimeGenerated >= ago(timeframe)
| extend UserAgentOS=tolower(ExtractOSFromUA(UserAgent))
| where not(isempty(UserAgent))
| where not(isempty(AppId))
| where ResultType == 0
| extend DeviceOS=tolower(DeviceDetail_dynamic.operatingSystem)
| where not(isempty(DeviceOS))
| where not(UserAgentOS == "unknown")
// Look for matches both ways, since sometimes browser OS is more specific and sometimes DeviceOS is more specific
| where not(UserAgentOS contains DeviceOS) and not(DeviceOS contains UserAgentOS)
| where not(DeviceOS == "ios" and UserAgentOS == "macos") // This can happen for 'request desktop site'
| where not(DeviceOS == "android" and UserAgentOS == "linux") // Android and Linux sometimes confused
| summarize count(), arg_min(TimeGenerated,*) by DeviceOS, UserAgentOS, UserPrincipalName
// Begin whitelist
// End whitelist