Query Details

Token Theft - Refresh Token Replay from New Location

01 Token Theft Refresh Token Replay New Location

Query

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| sort by UserPrincipalName asc, AppId asc, TimeGenerated asc
| extend PrevIP      = prev(IPAddress, 1)
| extend PrevCountry = prev(Location, 1)
| extend PrevTime    = prev(TimeGenerated, 1)
| extend PrevUser    = prev(UserPrincipalName, 1)
| extend PrevApp     = prev(AppId, 1)
| where UserPrincipalName == PrevUser
   and  AppId             == PrevApp
   and  IPAddress         != PrevIP
   and  Location          != PrevCountry
   and  (TimeGenerated - PrevTime) < 30m
| project
    TimeGenerated,
    PrevTokenTime    = PrevTime,
    UserPrincipalName,
    AppDisplayName,
    CurrentIP        = IPAddress,
    CurrentCountry   = Location,
    PreviousIP       = PrevIP,
    PreviousCountry  = PrevCountry,
    TimeBetweenTokens = (TimeGenerated - PrevTime),
    CorrelationId,
    UniqueTokenIdentifier
| order by TimeGenerated desc

Explanation

This query is designed to detect suspicious activity related to OAuth token refreshes, which could indicate a security breach. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies instances where the same user refreshes an OAuth token from a different IP address and country within a 30-minute window. This behavior is a strong indicator of potential token theft or a "pass-the-cookie" attack, where an attacker uses a stolen refresh token from a different location.

  2. Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-ins.

  3. Detection Logic:

    • It looks at sign-in logs from the past hour.
    • It filters for successful sign-ins (ResultType == 0).
    • It checks for cases where the same user and application ID have different IP addresses and countries for consecutive token refreshes within 30 minutes.
  4. Output: The query outputs details such as the time of the token refresh, the user's name, the application used, the current and previous IP addresses and countries, and the time difference between the token refreshes.

  5. Alerting: If such activity is detected, it triggers an alert with a high severity level, indicating potential credential access or lateral movement tactics. The alert includes details about the user and the suspicious activity.

  6. Incident Management: The system is configured to create incidents based on these alerts, grouping them by user account for better incident management.

In summary, this query helps identify and alert on potential security incidents involving the misuse of OAuth tokens from different locations, which could signify unauthorized access attempts.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AADNonInteractiveUserSignInLogsTimeGeneratedUserPrincipalNameAppIdIPAddressLocationAppDisplayNameCorrelationIdUniqueTokenIdentifierAccountIP

Operators

agowhere==sort byextendprev!=and<projectorder by

Severity

High

Tactics

CredentialAccessLateralMovement

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub