KQL Search

Query Details

HomeAI ToolsDevice Query

Successful Device Code Authentication Unmanaged Device

Query

# Successful device code sign-in from unmanaged device

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1566.002 | Phishing: Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |

#### Description
This query lists successful Entra ID sign-ins were device code authentication is used from an unmanaged device. This means that a device which is not managed by your organization has succesfully met the conditions to sign-in to your tenant using a managment API In addition you can filter on the previously set conditions in combination with a risk during sign-in to filter on cases that may have more priority.

The solutions for Sentinel (SigninLogs) and Defender XDR (AADSignInEventsBeta) differ slightly, but have the same output.

You can also include a filter for the Microsoft Authentication Broker application, appId = 29d9ed98-a469-4536-ade2-f981bc1d605e. This application can generate a bunch of false positives in the results, due to benign onboarding activities.

#### Risk
An adversary managed to succesfully sign-in to your organization using device code authentication.

#### References
- https://jeffreyappel.nl/how-to-protect-against-device-code-flow-abuse-storm-2372-attacks-and-block-the-authentication-flow/
- https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/

## Defender XDR
```KQL
AADSignInEventsBeta
// Filter only successful sign-ins
| where ErrorCode == 0
| where EndpointCall == "Cmsi:Cmsi"
// Filter on unmanaged devices
| where isempty(AadDeviceId)
// Optionally filter only on sign-ins with a risklevel assiciated with the sign-in
//| where RiskLevelDuringSignIn in(10, 50, 100)
| project-reorder TimeGenerated, AccountUpn, EndpointCall, ErrorCode, RiskLevelDuringSignIn, Application, ApplicationId, Country, IPAddress
```

## Sentinel
```KQL
SigninLogs
// Filter only successful sign-ins
| where ResultType == 0
| where AuthenticationProtocol == "deviceCode"
// Filter on unmanaged devices
| where isempty(DeviceDetail.deviceId)
| extend operatingSystem = tostring(DeviceDetail.operatingSystem)
// Optionally filter only on sign-ins with a risklevel assiciated with the sign-in
//| where RiskLevelDuringSignIn != "none"
| project-reorder TimeGenerated, UserPrincipalName, AuthenticationProtocol, ResultType, RiskLevelDuringSignIn, AppDisplayName, AppId, Location, IPAddress
```

Explanation

This query is designed to identify successful sign-ins to an organization's Entra ID (formerly Azure AD) using device code authentication from devices that are not managed by the organization. The focus is on detecting potential security risks, such as unauthorized access attempts, by highlighting sign-ins from unmanaged devices.

Here's a simplified breakdown:

  1. Purpose: The query aims to detect successful sign-ins using device code authentication from unmanaged devices, which could indicate a security risk if an adversary gains access.

  2. Data Sources: The query can be run on two different platforms:

    • Defender XDR: Uses the AADSignInEventsBeta table.
    • Sentinel: Uses the SigninLogs table.

  3. Key Filters:

    • Successful Sign-ins: The query filters for sign-ins where there were no errors (error code 0).
    • Unmanaged Devices: It specifically looks for sign-ins from devices that do not have a registered device ID, indicating they are unmanaged.
    • Optional Risk Filtering: You can further filter the results to include only sign-ins that have a certain risk level associated with them, which might help prioritize potential threats.

  4. Output: The query reorganizes the output to display relevant information such as the time of the sign-in, user details, application used, location, and IP address.

  5. Additional Considerations:

    • The query can include a filter for the Microsoft Authentication Broker application to reduce false positives from benign activities.
    • It references potential threats like device code phishing campaigns, emphasizing the importance of monitoring such sign-ins.

Overall, this query helps security teams monitor and respond to potentially unauthorized access attempts from unmanaged devices, enhancing the organization's security posture.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 17, 2025

Tables

AADSignInEventsBetaSigninLogs

Keywords

DevicesEntraIDSigninsRiskAuthenticationApplicationCountryIPAddressUserLocationOperatingSystem

Operators

AADSignInEventsBetaSigninLogswhereisemptyinproject-reorderextendtostring

Actions