Detection rules › Sigma
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts |
| Privilege Escalation | T1078 Valid Accounts |
| Stealth | T1078 Valid Accounts |
Event coverage
| Provider | Event |
|---|---|
| M365-AzureActiveDirectory | UserLoggedIn |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- Hunt for suspicious sign-in to Entra ID Using Extrnal Call Method (YARA-L)
- M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs (Elastic)
- M365 Identity OAuth Flow by User Sign-in to Device Registration (Elastic)
- M365 Identity OAuth Phishing via First-Party Microsoft Application (Elastic)
- M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) (Elastic)
- O365 AD PowerShell App Login Subsequent Activity (YARA-L)
- O365 Admin Login Activity To Uncommon Microsoft Cloud Apps (YARA-L)
- O365 Login Activity To Azure AD PowerShell App (YARA-L)
Rule body yaml
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
service: audit
product: m365
detection:
selection:
Operation: 'UserLoggedIn'
ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
ResultStatus: 'Success'
RequestType: 'Cmsi:Cmsi'
filter_main_bjectid:
ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Stages and Predicates
Stage 0: condition
selection and not 1 of filter_main_*Stage 1: selection
selection:
Operation: 'UserLoggedIn'
ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
ResultStatus: 'Success'
RequestType: 'Cmsi:Cmsi'
Stage 2: not filter_main_bjectid
filter_main_bjectid:
ObjectId: '0000000a-0000-0000-c000-000000000000'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
ObjectId | eq | 0000000a-0000-0000-c000-000000000000 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ApplicationId | eq |
|
Operation | eq |
|
RequestType | eq |
|
ResultStatus | eq |
|