Device code authentication abuse
Last updated
Last updated
allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. To enable this flow, the device has the user visit a webpage in their browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.
An attacker connects to /devicecode endpoint and sends client_id and resource
After receiving verification_uri and user_code, create an email containing a link to verification_uri and user_code, and send it to the victim.
Victim clicks the link, provides the code and completes the sign in.
The attacker receives access_token and refresh_token and can now mimic the victim.
List of Client IDs
Access tokens are stored for different Client IDs in Azure.
Send POST request to oauth2/devicecode to retreive
User Code
Device code string
Time code expires in
Send user email with the code and a link to "DeviceLogin" to enter the code
Retrieving the access tokens
Attacker needs to make an http POST to Azure AD token endpoint every 5 seconds:
The request must include the following parameters (code is the device_code from the step 1)
client_id
d3590ed6-52b3-4102-aeff-aad2292ab01c
resource
device_code
CAQABAAEAAAB2UyzwtQEKR7-rWbgdcBZIGm0IlLxBn23EWIrgw7fkNIKyMdS2xoEg9QAntABbI5ILrinFM2ze8dVKdixlThVWfM8ZPhq9p7uN8tYIuMkfVJ29aUnUBTFsYCmJCsZHkIxtmwdCsIlKpOQij2lJZzphfZX8j0nktDpaHVB0zm-vqATogllBjA-t_ZM2B0cgcjQgAA
grant_type
urn:ietf:params:oauth:grant-type:device_code
If the authentication is pending, an http error 400 Bad Request is returned with the following content:
After successful login, we’ll get the following response (tokens truncated):
Difficult to detect without browser forensics to look for navigation to https://microsoft.com/devicelogin website.
Sign-In logs
UAL logs
Azure Sign-Ins will show two simultaneous entries, focus on identifying device code authentication usage.
Interactive sign-in (attacker)
Non-interactive sign-in (for when attacker accessed resource using stolen oauth token).
Shows device code authentication was used.
Logon is token based, therefore single factor is used.
The TA is using it to gain access to GraphAPI (or what other resource they accessed).
Malicious IP
Client App: Mobile Apps and Desktop clients
User Agent.
Authentication Protocol: Device Code.
Resource ID: What resource TA requested (i.e. Graph).
A success and failure log will trigger within 10 seconds of each other for a successful devicelogin.
Non-Interactive sign-ins will show how the TA interacted with the access token after gaining access to it.
User Agent (anomalies could be curl, python, powershell, etc).
Malicious IP
Client App: Mobile Apps and Desktop clients.
Located in M365 Defender Portal: https://security.microsoft.com/
Attacker IP triggering "User Logged In" for every operation they perform with stolen token.
ExtemdedProperties Request Type: CMSI
CMSI: Check my Sign-In (triggered when platform requires user to validate request, i.e. user gives consent to application).
Item: Microsoft Graph (resource TA request).
Application ID: The client ID the TA is pretending to be (i.e. Microsoft Office).
Not a lot of ways to prevent this abuse.
Implement location based Conditional Access Policies.
Control how a user is allowed to log in to their account.