Query Details
Successful Device Code Authentication
Query
# Successful device code sign-in
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1566.002 | Phishing: Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |
#### Description
**Note!!** if you ingest AADSignInEventsBeta or SigninLogs do not use this query.
This query lists successful Entra ID sign-ins were device code authentication is used.
You can also include a filter for the Microsoft Authentication Broker application, appId = 29d9ed98-a469-4536-ade2-f981bc1d605e. This application can generate a bunch of false positives in the results, due to benign onboarding activities.
#### Risk
An adversary managed to succesfully sign-in to your organization using device code authentication.
#### References
- https://jeffreyappel.nl/how-to-protect-against-device-code-flow-abuse-storm-2372-attacks-and-block-the-authentication-flow/
- https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
## Defender XDR
```KQL
IdentityLogonEvents
| where ActionType == @"LogonSuccess"
| where LogonType == @"Cmsi:Cmsi"
| extend Application = tostring(parse_json(AdditionalFields).['ARG.CLOUD_SERVICE']),
Country = geo_info_from_ip_address(IPAddress).country
| project-reorder Timestamp, AccountUpn, LogonType, ActionType, Application, IPAddress, Country
```
## Sentinel
```KQL
IdentityLogonEvents
| where ActionType == @"LogonSuccess"
| where LogonType == @"Cmsi:Cmsi"
| extend Application = tostring(parse_json(AdditionalFields).['ARG.CLOUD_SERVICE']),
Country = geo_info_from_ip_address(IPAddress).country
| project-reorder TimeGenerated, AccountUpn, LogonType, ActionType, Application, IPAddress, Country
```
Explanation
This query is designed to identify successful sign-ins to an organization's Entra ID (formerly Azure Active Directory) using device code authentication. It specifically looks for logon events where the action type is "LogonSuccess" and the logon type is "Cmsi:Cmsi," which indicates device code authentication.
The query extracts additional information such as the application used for the sign-in and the country from which the sign-in originated, based on the IP address. This information is then organized in a specific order for easier analysis.
The query can be run in both Microsoft Defender XDR and Microsoft Sentinel environments, with slight differences in the timestamp field used for ordering the results.
It is important to note that if you are already ingesting AADSignInEventsBeta or SigninLogs, you should not use this query. Additionally, there is a potential for false positives from the Microsoft Authentication Broker application, which can be filtered out if necessary.
The query is relevant to the MITRE ATT&CK technique T1566.002, which involves phishing through spearphishing links. The risk associated with this query is that an adversary could potentially sign in to the organization using device code authentication, which could be part of a phishing campaign.
Details
Bert-Jan Pals
Released: February 21, 2025
Tables
Keywords
Operators