HQ 007 Bulk Refresh Token Revocation
Query
// =========================================================================
// HQ-007: Bulk Refresh Token Revocations (Post-Compromise or Evasion)
// =========================================================================
// Description : "Update StsRefreshTokenValidFrom Timestamp" is produced
// when a user's refresh tokens are revoked (e.g., via
// Revoke-AzureADUserAllRefreshToken, MCAS response, or an
// attacker using AADInternals to invalidate sessions after
// extracting tokens). Three or more revocations in a day by
// the same actor warrants investigation — it may be IR
// activity or an attacker covering tracks.
// MITRE ATT&CK: TA0005 Defense Evasion
// T1070 – Indicator Removal
// T1531 – Account Access Removal
// Tools : AADInternals, MCAS/MDCA automated response, IR scripts
// Severity : Medium
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================
AuditLogs
| where TimeGenerated > ago(1d)
| where ActivityDisplayName == "Update StsRefreshTokenValidFrom Timestamp"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetUser = tostring(TargetResources[0].displayName)
| extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
| summarize
RevocationCount = count(),
TargetUsers = make_set(TargetUser, 20),
TargetUPNs = make_set(TargetUPN, 20),
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated),
CorrelationIds = make_set(CorrelationId, 5)
by Actor
| where RevocationCount >= 3
| extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)
| order by RevocationCount descExplanation
This query is designed to identify potential security incidents involving the revocation of refresh tokens in Azure Active Directory. Here's a simplified explanation:
-
Purpose: The query looks for instances where a user's refresh tokens have been revoked multiple times within a single day. This could indicate a security investigation or an attacker trying to hide their tracks.
-
Data Source: It uses the
AuditLogsfrom Azure Active Directory to find relevant events. -
Time Frame: It examines logs from the last 24 hours.
-
Event Type: Specifically, it searches for the event named "Update StsRefreshTokenValidFrom Timestamp," which signifies a refresh token revocation.
-
Actor Identification: It identifies who initiated the revocation, whether it was a user or an application.
-
Target Information: It collects information about the users whose tokens were revoked.
-
Summary: For each actor (the person or app initiating the revocations), it counts how many revocations they performed, lists the affected users, and notes the time range of these events.
-
Alert Criteria: It flags cases where an actor has revoked tokens three or more times in a day, as this could suggest malicious activity or an internal investigation.
-
Output: The results are sorted by the number of revocations, highlighting the most active actors.
Overall, the query helps identify unusual patterns of token revocation that may require further investigation.
