Full Report
rvrsh3ll // Introduction This blog post is intended to give a light overview of device codes, access tokens, and refresh tokens. Here, I focus on the technical how-to for standing […] The post Dynamic Device Code Phishing appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: TokenTactics
## Overview
TokenTactics is a PowerShell module designed for offensive operations related to Azure Active Directory (Azure AD) and Microsoft 365 authentication mechanisms, specifically focusing on generating dynamic device codes and refreshing access tokens.
## Technical Details
- Type: Tool (PowerShell Module)
- Platform: Windows (PowerShell environment)
- Capabilities: Generating device codes for phishing, refreshing access tokens to different audiences (e.g., refreshing an MSGraph token to gain an Outlook token), and parsing JWT tokens.
- First Seen: Not explicitly stated, but discussed in the context of evolving device code phishing techniques.
## MITRE ATT&CK Mapping
The core functionality of TokenTactics relates to token manipulation and initial access after a phishing success.
- **TA0006 - Credential Access**
- T1552.001 - Credentials from Web Browsers
- T1552.003 - Credentials from Password Stores (Indirectly, via harvested tokens)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Token manipulation can evade standard credential checks)
- **TA0010 - Exfiltration**
- T1567.002 - Exfiltration Over Web Service (Using harvested tokens to access and exfiltrate data from cloud services)
## Functionality
### Core Capabilities
- **Device Code Generation:** Generating the necessary codes used in device code phishing campaigns.
- **Token Refreshing:** The main feature is the ability to refresh existing access tokens to target different resource audiences (scopes/endpoints), such as refreshing an MSGraph token to obtain a token for the Outlook API.
- **Token Parsing:** Includes cmdlets (`Parse-JWTtoken`) to analyze harvested JSON Web Tokens (JWTs) to extract useful information like the associated username.
### Advanced Features
- **Audience Manipulation:** Allows operators to maintain persistence or pivot access within cloud environments by refreshing tokens to new service endpoints without re-authenticating the user via MFA (if the initial device code flow bypassed or incorporated MFA).
## Indicators of Compromise
This section focuses on the tool's usage output rather than standalone file indicators, as it is a PowerShell module used operationally.
- File Hashes: N/A (Module artifacts/specific deployment hashes are not provided)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The tool facilitates network interaction via API calls once tokens are acquired)
- Behavioral Indicators: PowerShell execution importing and running cmdlets from the TokenTactics module. Receipt of `access_tokens` and `refresh_tokens` saved to logs (e.g., `TokenLog.log`).
## Associated Threat Actors
- Offensive operators performing post-compromise actions against Azure AD/Microsoft 365 in phishing engagements.
- Mentioned in connection with the developer Bobby Cooke (@0xBoku) and Stephan Borosh (implied developer/promoter).
## Detection Methods
Detection focuses on the overall phishing process rather than the tool execution itself on the C2 server.
- Signature-based detection: N/A (Specific signatures for the module's internal workings were not provided)
- Behavioral detection: Monitoring for PowerShell scripts initiating device code generation flows or making repeated, scripted calls to Azure AD/Microsoft identity endpoints using harvested tokens.
- YARA rules: N/A
## Mitigation Strategies
Mitigation is primarily focused on the initial device code phishing vector and subsequent token abuse.
- Prevention measures: Implement strict Azure AD Conditional Access policies, especially using location-based controls, to alert or block sign-ins from unexpected locations (the source IP of the device code generation will be logged).
- Hardening recommendations: Do not blindly trust device types reported (e.g., spoofable iPhone/Android reports); leverage Azure AD Identity Protection to investigate sign-in risks.
## Related Tools/Techniques
- **Dynamic Device Code Phishing:** The primary technique enabled by TokenTactics.
- **BARK:** Mentioned as a tool (**BloodHoundAD/BARK**) used post-capture to enumerate Azure AD users using a harvested access token (`Get-AllAzureADUsers -Token`).
- **CORS-Anywhere:** Used as a proxy within the dynamic phishing framework to help render the device code flow in-browser for the victim.