heroui logo

Entra ID ROPC Authentication with Unknown Client ID

Elastic Detection Rules

View Source
Summary
Detects potential OAuth client ID spoofing in Microsoft Entra ID sign-in logs by identifying ROPC authentication attempts that fail with error code 700016 (application not found) and lack a resolved app_display_name. The rule focuses on requests where the app_id (client ID) does not map to any registered application in the tenant, indicating adversaries may fragment attempts across many fictional client IDs to evade per-application detections, rate limiting, and Conditional Access. It leverages a New Terms constraint: the app_id must be unseen in the tenant’s sign-in logs in the previous 10 days, so each spoofed identifier surfaces once. This behavior enables stealthy user enumeration and password spraying without producing successful sign-ins, while bypassing application-scoped controls. The rule maps to MITRE ATT&CK techniques for Credential Access (T1110 / T1110.003 Password Spraying) and Cloud Account discovery (T1087.004) and identifies Discovery and Credential Access patterns in Entra ID sign-in activity. Triage focuses on validating the unknown app_id, correlating user principals, and assessing source infrastructure. False positives include legitimate but deleted apps in the tenant or misconfigured legacy clients. Remediation emphasizes MFA, Conditional Access, disabling unnecessary ROPC flows, and blocking offending sources, with credential resets for affected accounts and token revocation as needed.
Categories
  • Azure
  • Cloud
  • Identity Management
Data Sources
  • Application Log
ATT&CK Techniques
  • T1110
  • T1110.003
  • T1087
  • T1087.004
Created: 2026-07-15