Adversaries may abuse Azure Browser SSO by requesting OAuth 2.0 refresh tokens to maintain persistent access to Azure AD-authenticated systems without user interaction. SOC teams should proactively hunt for this behavior to identify potential lateral movement or long-term persistence in their Azure Sentinel environment.
Detection Rule
title: Potential Azure Browser SSO Abuse
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
status: test
description: |
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
An attacker can use this to authenticate to Azure AD in a browser as that user.
references:
- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
author: Den Iuzvyk
date: 2020-07-15
modified: 2023-04-18
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded: 'C:\Windows\System32\MicrosoftAccountTokenProvider.dll'
filter_main_bgtaskhost:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
Image|endswith: '\BackgroundTaskHost.exe'
# CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider'
filter_optional_devenv:
Image|startswith:
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
Image|endswith: '\IDE\devenv.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_onedrive:
Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
filter_optional_null:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity
level: low
DeviceImageLoadEvents
| where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") and InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe"))) and (not((((InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\") and InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\") and (InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe")) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" or isnull(InitiatingProcessFolderPath))))Scenario: Scheduled Job Using Azure AD Authentication
Description: A legitimate scheduled job (e.g., using schtasks.exe or Task Scheduler) runs under an Azure AD-authenticated user account and requests a refresh token as part of its authentication process.
Filter/Exclusion: Exclude events where the process is schtasks.exe or Task Scheduler and the user is a service account or system account.
Scenario: Admin Task Using Azure AD Credentials
Description: An administrator performs a remote administration task (e.g., using Remote Desktop or PowerShell Remoting) and the session requests a refresh token as part of the authentication flow.
Filter/Exclusion: Exclude events where the process is mstsc.exe (Remote Desktop) or powershell.exe with a known admin task command line.
Scenario: Browser-Based Application with Refresh Token Flow
Description: A legitimate web application (e.g., Microsoft Edge or Chrome) uses OAuth 2.0 with a refresh token for single sign-on (SSO) and requests a refresh token during normal operation.
Filter/Exclusion: Exclude events where the user agent is a known browser and the application is a known internal SSO tool (e.g., Azure AD B2C, Microsoft 365, or Intune).
Scenario: Azure AD Join Process
Description: A machine is joined to Azure AD using the Azure AD Join tool (AzureADJoin.exe) and the process requests a refresh token as part of the join operation.
Filter/Exclusion: Exclude events where the process is AzureADJoin.exe or the event occurs during a known Azure AD join operation.
Scenario: PowerShell Script Using Azure AD Authentication
Description: A PowerShell script (e.g.,