This article leads you through how a test for a failed logon into Entra ID can be summarized in a single curl command that a user can execute. This test executes a failed ROPC (Resource Owner Password Credential OAuth2.0 flow) against the user's tenant.
We request a token for the Microsoft Graph application/client indicated via the client_id parameter of:
00000003-0000-0000-c000-000000000000.
Note: This ID is contained in the curl command found below.
Enter the custom user agent: rccar-377b44f768952347e90084f736b81f68ac2a662c9067384b333d59ffdf4e3d04-rccar.
In order to test end-to-end telemetry > detection on Microsoft User Access Logging (UAL) data, Red Canary will create custom user agents that are mapped to specific detectors, as well as Autobots that report RCCAR detections based on the user agent string as Low, Medium, or High.
The customer needs to insert the BOLD portions of the command line.
- Tenant ID (read Find your Office 365 Tenant ID for more information, this is the same tenant ID you used to configure the O365 integration with the Red Canary platform.
- User Principle Name (UPN) of a test user in their tenant
curl -X POST "https://login.microsoftonline.com/<INSERT_TENANT_ID_HERE>/oauth2/v2.0/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=00000003-0000-0000-c000-000000000000&grant_type=password&scope=.default%20openid%20profile&username=<INSERT_UPN_HERE>&password=FAILED_PASSWORD" -A 'rccar-377b44f768952347e90084f736b81f68ac2a662c9067384b333d59ffdf4e3d04-rccar'
Save the rule to see the new related threat in Red Canary.
Comments
1 comment
Alternatively you can save and run the following as a powershell script (.ps1)
Please sign in to leave a comment.