← Back to Explore
sigmahighHunting
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Detection Query
selection:
Operation: UserLoggedIn
ApplicationId: 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223
ResultStatus: Success
RequestType: Cmsi:Cmsi
filter_main_bjectid:
ObjectId: 0000000a-0000-0000-c000-000000000000
condition: selection and not 1 of filter_main_*
Author
Josh Nickels, Marius Rothenbücher
Created
2025-01-08
Data Sources
m365audit
Platforms
m365
References
Tags
attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078
Raw Content
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
logsource:
service: audit
product: m365
detection:
selection:
Operation: 'UserLoggedIn'
ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
ResultStatus: 'Success'
RequestType: 'Cmsi:Cmsi'
filter_main_bjectid:
ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high