Device code authentication abuse
What Is Device Code Authentication?
allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. To enable this flow, the device has the user visit a webpage in their browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.
An attacker connects to /devicecode endpoint and sends client_id and resource
After receiving verification_uri and user_code, create an email containing a link to verification_uri and user_code, and send it to the victim.
Victim clicks the link, provides the code and completes the sign in.
The attacker receives access_token and refresh_token and can now mimic the victim.
List of Client IDs
Access tokens are stored for different Client IDs in Azure.
Attack
Send POST request to oauth2/devicecode to retreive
User Code
Device code string
Time code expires in
Send user email with the code and a link to "DeviceLogin" to enter the code
Retrieving the access tokens
Attacker needs to make an http POST to Azure AD token endpoint every 5 seconds:
The request must include the following parameters (code is the device_code from the step 1)
Parameter | Value |
---|---|
client_id | d3590ed6-52b3-4102-aeff-aad2292ab01c |
resource | |
device_code | CAQABAAEAAAB2UyzwtQEKR7-rWbgdcBZIGm0IlLxBn23EWIrgw7fkNIKyMdS2xoEg9QAntABbI5ILrinFM2ze8dVKdixlThVWfM8ZPhq9p7uN8tYIuMkfVJ29aUnUBTFsYCmJCsZHkIxtmwdCsIlKpOQij2lJZzphfZX8j0nktDpaHVB0zm-vqATogllBjA-t_ZM2B0cgcjQgAA |
grant_type | urn:ietf:params:oauth:grant-type:device_code |
If the authentication is pending, an http error 400 Bad Request is returned with the following content:
After successful login, we’ll get the following response (tokens truncated):
Detect
Difficult to detect without browser forensics to look for navigation to https://microsoft.com/devicelogin website.
What logs are available?
Sign-In logs
UAL logs
Sign-In Logs:
Azure Sign-Ins will show two simultaneous entries, focus on identifying device code authentication usage.
Interactive sign-in (attacker)
Non-interactive sign-in (for when attacker accessed resource using stolen oauth token).
What will Interactive Sign-In logs show?
Shows device code authentication was used.
Logon is token based, therefore single factor is used.
The TA is using it to gain access to GraphAPI (or what other resource they accessed).
Malicious IP
Client App: Mobile Apps and Desktop clients
User Agent.
Authentication Protocol: Device Code.
Resource ID: What resource TA requested (i.e. Graph).
A success and failure log will trigger within 10 seconds of each other for a successful devicelogin.
What will Non-Interactive Sign-In logs show?
Non-Interactive sign-ins will show how the TA interacted with the access token after gaining access to it.
User Agent (anomalies could be curl, python, powershell, etc).
Malicious IP
Client App: Mobile Apps and Desktop clients.
What will UAL logs show?
Located in M365 Defender Portal: https://security.microsoft.com/
Attacker IP triggering "User Logged In" for every operation they perform with stolen token.
ExtemdedProperties Request Type: CMSI
CMSI: Check my Sign-In (triggered when platform requires user to validate request, i.e. user gives consent to application).
Item: Microsoft Graph (resource TA request).
Application ID: The client ID the TA is pretending to be (i.e. Microsoft Office).
Mitigate
Not a lot of ways to prevent this abuse.
Implement location based Conditional Access Policies.
Control how a user is allowed to log in to their account.
Last updated