Token Session Hijack

id: 7b8c9d10-aaaa-4001-8001-00000000000A name: HUNT - Token session hijack indicators on Intune resources description: | Looks for non-interactive sign-ins to Intune / Device Management / Graph where the same session id is seen from two different countries or two different user agents within a short window — indicator of refresh-token / session-cookie replay. requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - AADNonInteractiveUserSignInLogs tactics: - CredentialAccess - LateralMovement relevantTechniques: - T1528 - T1550.001 query: | let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey); let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange)); AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(1d) and ResultType == 0 | where ResourceDisplayName has_any ("Microsoft Intune","Device Management","Microsoft Graph","Windows 365") | where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges)) | extend Country = tostring(parse_json(tostring(LocationDetails)).countryOrRegion), SessionId = tostring(SessionLifetimePolicies) | summarize Countries = dcount(Country), UAs = dcount(UserAgent), IPs = make_set(IPAddress, 10), CountryList = make_set(Country, 5), UAList = make_set(UserAgent, 5), Events = count() by UserPrincipalName, bin(TimeGenerated, 30m) | where Countries > 1 or UAs > 2 | order by TimeGenerated desc version: 1.0.0

Explanation

This query is designed to detect potential security threats related to session hijacking on Intune resources. Here's a simple breakdown of what it does:

Purpose: The query aims to identify suspicious non-interactive sign-ins to Intune, Device Management, or Microsoft Graph services. It looks for instances where the same session ID is used from different countries or with different user agents within a short time frame, which could indicate a session hijack.
Data Source: It uses data from Azure Active Directory's non-interactive user sign-in logs.
Detection Logic:
- It checks sign-in logs from the last day (24 hours) where the sign-in was successful (ResultType == 0).
- It filters for sign-ins related to specific resources: Microsoft Intune, Device Management, Microsoft Graph, and Windows 365. - It excludes IP addresses that are within an allowed range (defined in a watchlist called 'NetworkAllowlist').
- It extracts the country and session ID from the log details.
- It summarizes the data by counting distinct countries and user agents, and lists IP addresses, countries, and user agents involved in the sign-ins.
- It flags cases where a session ID is associated with more than one country or more than two user agents within a 30-minute window.
Output: The query orders the results by the time of the event, showing the most recent events first.
Security Context: This query is part of a hunting strategy to detect credential access and lateral movement tactics, specifically targeting techniques related to session hijacking (T1528 and T1550.001).

Overall, this query helps security teams identify and investigate potential unauthorized access attempts that may involve session token or cookie replay attacks.

Details

David Alonso

Released: April 22, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

TokenSessionHijackIndicatorsIntuneResourcesSignInsIntuneDeviceManagementGraphSessionIdCountriesUserAgentsRefreshTokenSessionCookieReplayAzureActiveDirectoryNonInteractiveUserSignInLogsCredentialAccessLateralMovementMicrosoftIntuneDeviceManagementMicrosoftGraphWindowsCountrySessionIdUserPrincipalNameTimeGenerated

Operators

letprojecttoscalarsummarizemake_listwhereagoandhas_anynotipv4_is_in_any_rangetostringparse_jsonextenddcountmake_setcountbybinorder bydesc

KQL Search