Primary Refresh Token Access Attempt

Rule Info

Name
Primary Refresh Token Access Attempt
Author
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
Description
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
Reference
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
Date
2023-09-07 00:00:00
Modified
None
Id
a84fc3b1-c9ce-4125-8e74-bdcdb24021f1
Tags
attack.t1528 attack.credential-access
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a84fc3b1-c9ce-4125-8e74-bdcdb24021f1

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4942 from @nasbench - promote older rules status from experimental to test
2024-08-01
6b7814466
Ryan Plas
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
2024-07-02
1d40f1d20
Mark Morowczynski
Merge PR #4429 from @MarkMorow - Add New Azure Identity Protection Rules
2023-09-11
e5fabcbd2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022