Persistence (TA0003)(external, opens in a new tab or window)
Defense Evasion (TA0005)(external, opens in a new tab or window)
Credential Access (TA0006)(external, opens in a new tab or window)
text code block:sequence with maxspan=3m [authentication where data_stream.dataset == "azure.signinlogs" and azure.signinlogs.category == "NonInteractiveUserSignInLogs" and azure.signinlogs.properties.app_id == "29d9ed98-a469-4536-ade2-f981bc1d605e" and azure.signinlogs.properties.resource_display_name == "Device Registration Service" and azure.signinlogs.properties.incoming_token_type == "refreshToken" and azure.signinlogs.properties.token_protection_status_details.sign_in_session_status == "unbound" and azure.signinlogs.properties.user_type == "Member" and azure.signinlogs.result_signature == "SUCCESS" ] by azure.signinlogs.properties.user_id [any where data_stream.dataset == "azure.auditlogs" and azure.auditlogs.operation_name == "Register device" and azure.auditlogs.properties.initiated_by.user.id != null and azure.auditlogs.properties.target_resources.`0`.display_name like "DESKTOP-*" and event.outcome == "success" ] by azure.auditlogs.properties.initiated_by.user.id [authentication where data_stream.dataset == "azure.signinlogs" and azure.signinlogs.properties.incoming_token_type == "primaryRefreshToken" and azure.signinlogs.properties.original_transfer_method == "deviceCodeFlow" and azure.signinlogs.properties.is_interactive == true and azure.signinlogs.properties.resource_display_name != "Device Registration Service" and azure.signinlogs.properties.device_detail.is_managed != true and azure.signinlogs.result_signature == "SUCCESS" ] by azure.signinlogs.properties.user_id
Install detection rules in Elastic Security
Detect Entra ID AiTM Phishing-Kit Chain Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).