ITDLL Detection Logic (DL-041 → DL-080)

Created by Claudiu Tabac - © 2026 
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Find me on LinkedIn 
Buy Me a Cofee
ITDLL Detection Logic(DL-041 - DL-080)
Identity Threat Detection Logic Library (ITDLL) entries DL-041 through DL-080 address mid-stage attack behaviors involving privileged access exploitation, OAuth abuse, token misuse, cross-cloud token replay, anomalous federation activity, and lateral movement via application or service principal identities. These 40 detection rules represent high-value security controls for privilege escalation, OAuth exploitation, and federation manipulation scenarios.
Detection Coverage Overview
Privilege Escalation
Detects unauthorized elevation of access rights through role assignments, admin activations, and privilege manipulation across identity systems.
OAuth Exploitation
Identifies malicious OAuth application usage, token abuse, scope manipulation, and consent bypass techniques employed by adversaries.
Token Replay Attacks
Captures token reuse across regions, cloud environments, and incompatible clients indicating credential theft and replay activity.
Federation Abuse
Monitors SAML, OIDC, and federation infrastructure for metadata tampering, claim injection, and protocol downgrade attacks.
Privileged Access Detection Rules
The following detections identify abnormal privileged access patterns, role assignments from unexpected sources, and sudden spikes in administrative activity that indicate potential compromise or insider threats.
1
DL-041: High-Sensitivity Access Spike
Detects sudden access attempts to high-sensitivity resources including executive mailboxes, financial systems, or classified data repositories. Baseline access patterns establish normal thresholds.
2
DL-042: Privileged Role Assignment from Unusual Source
Identifies privileged role assignments originating from unexpected administrators, geographic locations, or device types inconsistent with change management processes.
3
DL-043: Sudden Increase in Admin Role Activations
Detects spikes in Privileged Identity Management (PIM) role activations or standing admin role usage indicating escalation activity or compromised privileged accounts.
OAuth Lateral Movement & Persistence
DL-044: Lateral Movement Through OAuth Application
Identifies attackers leveraging OAuth applications to pivot across user accounts, mailboxes, or cloud services. Detects OAuth apps accessing resources beyond their legitimate scope or user base.
DL-045: OAuth Application Used as Persistence Mechanism
Detects malicious OAuth applications granting long-term persistence through high-privilege consent permissions that survive password resets and MFA enforcement.
DL-046: Excessive OAuth Token Refresh Activity
Identifies high-volume refresh token activity indicating automated token abuse, credential harvesting, or bot-driven enumeration of cloud resources.
DL-047: OAuth Token Replay Across Multiple Regions
Detects refresh tokens reused from geographically disparate locations within impossible travel timeframes, indicating token theft and replay attacks.
OAuth Scope & Consent Abuse
DL-048: Sudden OAuth Scope Expansion
Detects OAuth applications requesting new high-privilege scopes (Mail.ReadWrite, Files.ReadWrite.All) unexpectedly, particularly after initial low-privilege consent was granted.
DL-049: OAuth Consent Granted Outside Expected Pattern
Identifies consent activity inconsistent with normal user behavior including consent during off-hours, from unusual devices, or to applications with suspicious characteristics.
DL-050: Mass OAuth Application Enrollment
Detects multiple users consenting to the same OAuth application within compressed timeframes, indicating phishing campaigns or consent social engineering attacks.
Token Replay Detection Strategies
Token replay attacks involve adversaries stealing and reusing authentication tokens across incompatible contexts to bypass authentication controls. These detections identify token misuse patterns.
1
DL-051: OAuth Token Use from Incompatible Client
Detects token use from client types not associated with original issuance—mobile tokens used from browsers or desktop tokens from APIs.
2
DL-052: Token Replay Through Cloud Automation
Identifies automated infrastructure (Lambda, Azure Functions, GitHub Actions) replaying previously issued tokens in abnormal execution contexts.
3
DL-053: Token Replay Across Cloud Environments
Detects tokens used inconsistently across AWS, Azure, and GCP environments indicating cross-cloud credential theft operations.
Federation & SAML Threat Detection
DL-055: Federation Metadata Tampering
Detects abnormal federation metadata pulls, modifications to IdP certificates, or changes to trust relationships enabling Golden SAML attacks.
DL-056: Federation Token Issuance at Unusual Times
Identifies federation token generation outside normal business hours, holidays, or maintenance windows indicating compromised federation infrastructure.
DL-057: Federation Reply URLs Not Matching Patterns
Detects anomalies in reply URLs used during federation authentication including typosquatting domains or unexpected redirect destinations.
SAML & OIDC Issuance Anomalies
DL-058: Unusual SAML Assertion Activity
Detects abnormal spikes in SAML assertion generation volume, indicating automated token forging or compromised SAML signing keys.
DL-059: Sudden Increase in OIDC Token Issuance
Identifies abnormal spikes in OpenID Connect token issuance suggesting automated credential harvesting or brute force activity.
DL-060: Token Issuance Behavior Not Matching User Profile
Detects token issuance inconsistent with historical user patterns including unusual token types, lifetimes, or claim configurations.
DL-061: External Actor Attempting to Inject OAuth Scopes
Identifies malicious manipulation of OAuth scope parameters during authorization flows to request elevated permissions beyond application design.
DL-062: Sudden Change in Token Lifetime Settings
Detects configuration changes to token lifetime policies enabling longer-lived tokens that increase attacker dwell time post-compromise.
OAuth Attack Pattern Recognition
Advanced OAuth attack patterns require behavioral analysis across multiple dimensions including device characteristics, geographic distribution, and protocol flow manipulation.
01
DL-063: MITM Indicators in OAuth Flow
Detects replay or manipulation indicative of OAuth man-in-the-middle attacks including authorization code interception or state parameter tampering.
02
DL-064: Suspicious Refresh Token Use From Multiple Devices
Identifies refresh tokens used simultaneously across incompatible devices (mobile, desktop, server) within impossible geographic distances.
03
DL-065: OAuth Device Code Abuse Pattern
Detects malicious use of OAuth device code flow for phishing attacks where victims authenticate on behalf of attacker-controlled devices.
04
DL-066: OAuth Token Acquisition from Compromised Device
Identifies token issuance tied to device signatures exhibiting compromise indicators including malware, debugger presence, or jailbreak detection.
Federation Infrastructure Attacks
1
DL-067: Federation Certificate Misuse
Detects unauthorized use of certificates associated with federation trust relationships including expired certificate usage or certificate chain violations.
2
DL-068: Unauthorized Modification of Federation Settings
Identifies unexpected changes to federation configuration including trust relationships, claim mappings, or identity provider endpoints.
3
DL-069: Lateral Movement Through Federation Claims
Detects attackers abusing SAML or OIDC claims to escalate privileges, bypass access controls, or impersonate high-value accounts.
4
DL-070: Sudden Federation Protocol Downgrade
Identifies forced downgrades to weaker federation protocols (SAML 1.1, legacy OIDC) enabling cryptographic attacks or security control bypass.
5
DL-071: Identity Provider Claim Injection Behavior
Detects unexpected or malicious injection of IdP claims including role claims, group memberships, or entitlement attributes during token issuance.
Service Principal & Machine Identity Threats
Service principals and machine identities represent high-value targets due to their elevated privileges and often insufficient monitoring. These detections address non-human identity abuse.
1
DL-072: Global Admin Role Assigned Through OAuth Application
Detects privilege escalation via OAuth application role assignments granting Global Administrator or equivalent permissions enabling tenant-wide compromise.
2
DL-073: Service Principal Authenticating from Unusual Source
Identifies service principal authentication from abnormal networks, geographic locations, or device types inconsistent with deployment architecture.
3
DL-074: Service Principal Token Replay Across Tenants
Detects service principal tokens reused in cross-tenant attacks exploiting multi-tenant application configurations or stolen credentials.
4
DL-075: Service Principal Activity Outside Expected Hours
Identifies service principal behavior inconsistent with automation schedules, batch processing windows, or planned maintenance activities.
Machine Identity Attack Patterns
DL-076: Large-Scale Machine Identity Activation
Detects machine identities suddenly becoming active in bulk, indicating compromised automation infrastructure or bot army deployment for cloud resource abuse.
DL-077: Privilege Escalation Via Machine Identity
Identifies attackers leveraging compromised machine identities to escalate privileges through role assignments, policy modifications, or infrastructure access.
DL-078: Machine Identity Token Replay
Detects replay of machine-issued tokens across incompatible execution contexts, workloads, or cloud environments indicating credential theft.
DL-079: Machine Identity Access From Suspicious Geography
Identifies machine identity usage from unexpected geographic regions inconsistent with infrastructure deployment locations or cloud region configurations.
DL-080: Machine Identity Access Not Matching Workload Pattern
Detects machine identity behavior inconsistent with established workload baselines including resource access patterns, API call volumes, or operational schedules.
 
About  
Created by Claudiu Tabac — © 2026
Find me on LinkedIn
Buy Me a Coffee
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation
Home
Back to ITDLL
 