KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting For Malicious Login Attempts Based On Basic Authentication

Query

**Hunting for malicious login attempts based on basic authentication**

**Description:**  This KQL Query helps to detect Basic authentication sign-in attempts using specific agents which are identified as risky and used by malicious actors.
The ROPC flow is considered insecure because it requires applications to handle user credentials directly, increasing the risk of credential theft. 
Microsoft discourages the use of ROPC and Basic Authentication in favor of more secure, modern authentication methods such as OAuth 2.0 with MFA and token-based authentication.


```
AADSignInEventsBeta
| where UserAgent  has "BAV2ROPC" or UserAgent has "AConsumerV2ROPC"
| where AuthenticationRequirement has "singleFactorAuthentication"
| distinct  Application, EndpointCall, ErrorCode, AuthenticationRequirement, UserAgent, ClientAppUsed, IPAddress , Country
```

Explanation

This KQL query is designed to identify potentially malicious login attempts that use basic authentication methods, which are considered insecure. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at sign-in events from Azure Active Directory (AAD).

  2. Filter by User Agent: It specifically targets login attempts where the user agent string includes "BAV2ROPC" or "AConsumerV2ROPC". These user agents are associated with risky authentication flows known as Resource Owner Password Credentials (ROPC), which are vulnerable to credential theft.

  3. Filter by Authentication Type: It further narrows down the results to those that used "singleFactorAuthentication", which is less secure compared to multi-factor authentication.

  4. Select Distinct Entries: The query retrieves unique combinations of several fields: Application, EndpointCall, ErrorCode, AuthenticationRequirement, UserAgent, ClientAppUsed, IPAddress, and Country. This helps in identifying distinct instances of these risky login attempts.

Overall, the query is used to detect and analyze login attempts that might be exploited by malicious actors due to their reliance on insecure authentication methods.

Details

Sergio Albea profile picture

Sergio Albea

Released: February 11, 2025

Tables

AADSignInEventsBeta

Keywords

AADSignInEventsBetaUserAgentApplicationEndpointCallErrorCodeAuthenticationRequirementClientAppUsedIPAddressCountry

Operators

wherehasordistinct

Actions