Adversaries may be using device code authentication from an unfamiliar autonomous system to bypass multi-factor authentication and gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential device code phishing attempts and mitigate lateral movement risks.
KQL Query
let timeframe = 1d;
let lookback = 30d;
let KnownASNPerUser =
SigninLogs
| where TimeGenerated >= ago(timeframe + lookback) and TimeGenerated < ago(timeframe)
| where ResultType == 0
| where isnotempty(AutonomousSystemNumber)
| summarize KnownASNs = make_set(AutonomousSystemNumber, 100) by UserPrincipalName;
SigninLogs
| where TimeGenerated >= ago(timeframe)
| where ResultType == 0
| where isnotempty(AutonomousSystemNumber)
| where AuthenticationDetails has "deviceCode"
| join kind=leftouter KnownASNPerUser on UserPrincipalName
| where isnull(KnownASNs) or not(set_has_element(KnownASNs, AutonomousSystemNumber))
| extend AccountName = tostring(split(UserPrincipalName, "@")[0])
| extend AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
| project
TimeGenerated,
UserPrincipalName,
AccountName,
AccountUPNSuffix,
IPAddress,
AutonomousSystemNumber,
Location,
AppDisplayName,
AuthenticationDetails,
DeviceDetail,
CorrelationId
| sort by TimeGenerated desc
id: 562647c0-5edb-4a47-afa2-fa662efa89bf
name: Device code authentication from unseen autonomous system
description: |
Identifies successful device code flow sign-ins from autonomous system numbers not
seen for the user in the previous 30 days. Consistent with device code phishing:
attacker initiates the flow, tricks the target into completing it.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1528
- T1078.004
query: |
let timeframe = 1d;
let lookback = 30d;
let KnownASNPerUser =
SigninLogs
| where TimeGenerated >= ago(timeframe + lookback) and TimeGenerated < ago(timeframe)
| where ResultType == 0
| where isnotempty(AutonomousSystemNumber)
| summarize KnownASNs = make_set(AutonomousSystemNumber, 100) by UserPrincipalName;
SigninLogs
| where TimeGenerated >= ago(timeframe)
| where ResultType == 0
| where isnotempty(AutonomousSystemNumber)
| where AuthenticationDetails has "deviceCode"
| join kind=leftouter KnownASNPerUser on UserPrincipalName
| where isnull(KnownASNs) or not(set_has_element(KnownASNs, AutonomousSystemNumber))
| extend AccountName = tostring(split(UserPrincipalName, "@")[0])
| extend AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
| project
TimeGenerated,
UserPrincipalName,
AccountName,
AccountUPNSuffix,
IPAddress,
AutonomousSystemNumber,
Location,
AppDisplayName,
AuthenticationDetails,
DeviceDetail,
CorrelationId
| sort by TimeGenerated desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.0
metadata:
source:
kind: Community
author:
name: descambiado
support:
tier: Community
categories:
domains: [ "Security - Threat Protection", "Identity" ]
| Sentinel Table | Notes |
|---|---|
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job Using Device Code Authentication
Description: A legitimate scheduled job (e.g., Azure DevOps pipeline, Jenkins CI/CD, or Ansible automation) may use device code authentication to access cloud resources during maintenance windows.
Filter/Exclusion: Exclude activities associated with known automation tools (e.g., job_name LIKE '%jenkins%' OR job_name LIKE '%ansible%') or filter by user roles (e.g., user_principal_name LIKE '%svc_acct%').
Scenario: Admin Task Using Device Code for Multi-Factor Authentication (MFA) Recovery
Description: An admin may use device code authentication to recover a user’s account if MFA is temporarily disabled or if the user is locked out.
Filter/Exclusion: Exclude sign-ins where the user has admin privileges (e.g., user_principal_name LIKE '%admin%') or where the sign-in was initiated from a known admin workstation (e.g., device_name LIKE '%admin_workstation%').
Scenario: Third-Party Service Integration Using Device Code Flow
Description: A third-party service (e.g., ServiceNow, Salesforce, or a custom API tool) may use device code flow to authenticate with Azure AD during integration setup or testing.
Filter/Exclusion: Exclude sign-ins from known third-party service IPs (e.g., ip_address IN ('192.168.1.100', '10.0.0.50')) or filter by application names (e.g., app_display_name LIKE '%servicenow%').
Scenario: User Accessing Cloud Resources from a New Autonomous System Due to Geographical Move
Description: A user may have moved to a new region or country, resulting in a new autonomous system (AS) being used for sign-in, even