KQL Search

Query Details

13 ADFS Stale Token After Password Change

Query

id: a3b4c5d6-e7f8-4a9b-0c1d-2e3f4a5b6c7d
name: ADFS Stale Token Use After Password Change or Reset
version: 1.0.0
kind: Scheduled
description: |
  Detects ADFS-issued tokens being generated for a user after their password was recently
  changed or reset in Azure AD. When an attacker holds a cloned ADFS token signing certificate
  (Golden SAML) or a persisted session cookie, password resets do not invalidate their access;
  ADFS continues issuing tokens because it doesn't check password freshness at the federation
  layer. This query correlates AuditLogs password change/reset events with subsequent
  ADFSSignInLogs activity to surface this persistence mechanism.
  MITRE ATT&CK: T1606 (Forge Web Credentials), T1078 (Valid Accounts), T1550 (Use Alternate Authentication Material)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - ADFSSignInLogs
      - AuditLogs
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1606
  - T1078
  - T1550
query: |
  let PasswordChanges =
      AuditLogs
      | where TimeGenerated > ago(1d)
      | where OperationName has_any (
          "Reset password", "Change password", "Update user",
          "User changed password",
          "Admin updated user authentication method",
          "Update Authentication Method",
          "Delete Authentication Method"
        )
      | extend UPN = tostring(TargetResources[0].userPrincipalName)
      | where isnotempty(UPN)
      | summarize ChangeTime = max(TimeGenerated) by UPN;
  ADFSSignInLogs
  | where TimeGenerated > ago(1d)
  | where ResultType == 0
  | join kind=inner PasswordChanges on $left.UserPrincipalName == $right.UPN
  | where TimeGenerated > ChangeTime
  | summarize
      TokensAfterChange = count(),
      IPs               = make_set(IPAddress),
      Countries         = make_set(Location),
      Apps              = make_set(AppDisplayName),
      Protocols         = make_set(AuthenticationRequirement),
      LastSeen          = max(TimeGenerated),
      FirstTokenAfter   = min(TimeGenerated)
    by UserPrincipalName, ChangeTime
  | order by TokensAfterChange desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
customDetails:
  TokensAfterChange: TokensAfterChange
  ChangeTime: ChangeTime
alertDetailsOverride:
  alertDisplayNameFormat: "ADFS Stale Token Alert - {{UserPrincipalName}} active after password change"
  alertDescriptionFormat: "User {{UserPrincipalName}} had a credential change at {{ChangeTime}} but ADFS issued {{TokensAfterChange}} tokens afterward. Possible Golden SAML persistence."
  alertSeverityColumnName: ""
  alertTacticsColumnName: ""
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT12H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect a security issue where tokens are issued by Active Directory Federation Services (ADFS) for a user even after their password has been changed or reset in Azure Active Directory (Azure AD). This situation can occur if an attacker has a cloned ADFS token signing certificate or a session cookie, allowing them to maintain access despite a password change.

Here's a simple breakdown of what the query does:

  1. Collect Password Changes: It first gathers data on password changes or resets from the last day by looking at Azure AD audit logs. It identifies users whose passwords have been changed or reset.

  2. Check ADFS Sign-Ins: It then checks ADFS sign-in logs for the same period to see if any tokens were issued to these users after their password change.

  3. Correlate Data: The query correlates the password change events with subsequent ADFS sign-in activities to identify cases where tokens were issued after a password change.

  4. Alert on Suspicious Activity: If tokens are issued after a password change, it raises an alert, indicating potential misuse of credentials, possibly due to a "Golden SAML" attack where an attacker uses a forged token.

  5. Details and Severity: The alert includes details like the number of tokens issued, IP addresses, locations, applications accessed, and the protocols used. The severity of this alert is marked as high due to the potential security risk.

  6. Incident Management: The query is set to create incidents for detected cases, allowing security teams to investigate and respond to these potential security breaches.

Overall, this query helps in identifying and alerting on potential security threats related to unauthorized access through stale tokens in an ADFS environment.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsAuditLogs

Keywords

ADFSAzureADAuditLogsADFSSignInLogsUserAccountTokensIPsCountriesAppsProtocolsLocationAuthenticationMethodUserPrincipalNameTimeGenerated

Operators

letwherehas_anyextendisnotemptysummarizejoinonorder bydesccountmake_setmaxmin

Actions