T1606.001 Web Cookies Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1606.001 — Forged Web Cookie Detection via Azure AD Authentication Anomalies
// Three complementary detection branches targeting different forgery indicators

// Branch 1: Non-interactive sign-ins with anomalous token risk signals
// 'anomalousToken' risk detail fires when Microsoft detects unusual JWT characteristics
let AnomalousTokenSignIns = AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(24h)
| where RiskDetail in ("anomalousToken", "unfamiliarFeatures", "maliciousIPAddress", "suspiciousIPAddress")
    or RiskLevelDuringSignIn in ("high", "medium")
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName,
          TokenIssuerType, AuthenticationProtocol,
          RiskDetail, RiskLevelDuringSignIn, CorrelationId,
          DetectionBranch = "AnomalousToken";

// Branch 2: Successful single-factor authentication from anonymizing network
// Forged cookies used from Tor/anonymized IPs bypassing MFA Conditional Access
let AnonymousNetworkCookieAuth = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| where NetworkLocationDetails has_any ("anonymizedIPAddress", "tor")
| where AuthenticationRequirement == "singleFactorAuthentication"
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName,
          NetworkLocationDetails, AuthenticationRequirement,
          ConditionalAccessStatus, CorrelationId,
          DetectionBranch = "AnonymousNetworkAuth";

// Branch 3: Same session correlation ID used from multiple distinct source IPs
// Indicates forged cookie being simultaneously used from multiple attacker hosts
let MultiIPSession = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| summarize
    UniqueIPCount = dcount(IPAddress),
    IPList = make_set(IPAddress, 5),
    LocationList = make_set(Location, 5),
    SignInCount = count(),
    SessionStart = min(TimeGenerated),
    SessionEnd = max(TimeGenerated)
    by UserPrincipalName, AppDisplayName, CorrelationId
| where UniqueIPCount > 1
| where datetime_diff("minute", SessionEnd, SessionStart) < 120
| project SessionStart, UserPrincipalName, AppDisplayName,
          UniqueIPCount, IPList, LocationList, SignInCount, CorrelationId,
          DetectionBranch = "MultiIPSession";

// Union all branches
AnomalousTokenSignIns
| union AnonymousNetworkCookieAuth
| union (
    MultiIPSession
    | project TimeGenerated = SessionStart, UserPrincipalName,
              IPAddress = tostring(IPList), AppDisplayName,
              RiskDetail = "MultipleIPsInSession", RiskLevelDuringSignIn = "medium",
              TokenIssuerType = "", AuthenticationProtocol = "",
              NetworkLocationDetails = tostring(LocationList),
              AuthenticationRequirement = "", ConditionalAccessStatus = "",
              CorrelationId, DetectionBranch
)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation Web Credential: Web Credential Usage Application Log: Application Log Content Azure Active Directory: Non-Interactive Sign-in Logs Microsoft Identity Protection: Risk Events

Required Tables

AADNonInteractiveUserSignInLogs SigninLogs

False Positives

Corporate VPN users whose traffic egresses through shared or anonymized IP ranges — establish Conditional Access Named Locations for known corporate VPN egress IPs and exclude them from Branch 2
Mobile or desktop applications using OAuth token refresh flows that generate non-interactive sign-ins from changing IPs as users roam between WiFi and cellular networks — review DeviceDetail and AppDisplayName to confirm legitimate client patterns
Office 365 service accounts and automation scripts performing scheduled tasks can trigger non-interactive high-risk sign-in signals due to unusual IP ranges or off-hours scheduling
Users with international travel whose sessions span multiple countries — correlate with HR travel records or look for preceding interactive re-authentication events
Azure AD Identity Protection 'anomalousToken' risk detail may fire on legitimate tokens issued by older authentication library versions that produce non-standard claim structures

Splunk

spl

( index=azure sourcetype="azure:aad:signin" ) OR ( index=azure sourcetype="azure:aad:signinlogs" )
| eval riskDetail=coalesce(riskDetail, "none")
| eval riskLevelDuringSignIn=coalesce(riskLevelDuringSignIn, "none")
| eval networkLocationDetails=coalesce(networkLocationDetails, "")
| eval authenticationRequirement=coalesce(authenticationRequirement, "multiFactorAuthentication")
| eval statusCode=coalesce('status.errorCode', 0)

// Score each sign-in against forgery indicators
| eval IsAnomalousToken=if(riskDetail="anomalousToken" OR riskDetail="unfamiliarFeatures", 1, 0)
| eval IsHighRisk=if(riskLevelDuringSignIn="high" OR riskLevelDuringSignIn="medium", 1, 0)
| eval IsAnonymousNetwork=if(match(lower(networkLocationDetails), "anonymizedipaddress|tor|anonymizer"), 1, 0)
| eval IsMFABypassedSession=if(authenticationRequirement="singleFactorAuthentication" AND statusCode=0, 1, 0)
| eval SuspicionScore=IsAnomalousToken + IsHighRisk + IsAnonymousNetwork + IsMFABypassedSession

| where SuspicionScore >= 1

// Aggregate by user and session correlation ID to identify multi-IP usage
| stats
    max(SuspicionScore) as MaxSuspicion,
    count as SignInCount,
    dc(ipAddress) as UniqueIPCount,
    values(ipAddress) as IPAddresses,
    values(appDisplayName) as Applications,
    values(riskDetail) as RiskDetails,
    sum(IsAnomalousToken) as AnomalousTokenHits,
    sum(IsHighRisk) as HighRiskHits,
    sum(IsAnonymousNetwork) as AnonymousNetworkHits,
    sum(IsMFABypassedSession) as MFABypassHits,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by userPrincipalName, correlationId

// Flag sessions with multiple IPs regardless of base suspicion score
| eval SuspicionScore=if(UniqueIPCount > 1, MaxSuspicion + 1, MaxSuspicion)
| eval DetectionReasons=mvappend(
    if(AnomalousTokenHits > 0, "AnomalousToken", null()),
    if(HighRiskHits > 0, "HighRiskSignIn", null()),
    if(AnonymousNetworkHits > 0, "AnonymousNetwork", null()),
    if(MFABypassHits > 0, "MFABypassedViaSession", null()),
    if(UniqueIPCount > 1, "MultiIPSession", null())
  )
| where SuspicionScore >= 1
| sort - SuspicionScore, - SignInCount
| table userPrincipalName, correlationId, SignInCount, UniqueIPCount,
        IPAddresses, Applications, DetectionReasons, SuspicionScore,
        FirstSeen, LastSeen

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation Web Credential: Web Credential Usage Azure Active Directory: Sign-in Logs Microsoft Identity Protection: Risk Events

Required Sourcetypes

azure:aad:signin azure:aad:signinlogs

False Positives

Corporate VPN or ZTNA users appearing to authenticate from anonymized IPs — add known VPN egress ranges to a lookup table and use NOT lookup to suppress
Mobile app token refresh flows triggering multiple non-interactive sign-ins across IP changes as users roam between networks
Service accounts running scheduled automation from cloud infrastructure IPs that look anomalous to Identity Protection models
Legitimate users who share devices or sessions (e.g., hospital shared terminals) where session IDs may be reused across different user IPs
Azure AD Identity Protection model retraining periods where the baseline shifts and previously-normal tokens are flagged as anomalous

Elastic Security (EQL)

eql

any where event.dataset in ("azure.signinlogs", "o365.audit") and (kibana.alert.rule.name : "SAML*" or event.outcome : "success" and source.geo.country_iso_code != "US" and user_agent.name : ("python*", "curl*", "Go-http-client*")) or (event.action : "UserLoggedIn" and event.provider : "Exchange" and not user_agent.original : ("Microsoft*", "Mozilla*"))

high severity medium confidence

Data Sources

Azure Active Directory Microsoft 365 Defender Okta

Required Tables

logs-azure.signinlogs-* logs-o365.audit-* .alerts-security.*

False Positives

Corporate VPN users whose traffic egresses through shared or anonymized IP ranges — establish Conditional Access Named Locations for known corporate VPN egress IPs and exclude them from Branch 2
Mobile or desktop applications using OAuth token refresh flows that generate non-interactive sign-ins from changing IPs as users roam between WiFi and cellular networks — review DeviceDetail and AppDisplayName to confirm legitimate client patterns
Office 365 service accounts and automation scripts performing scheduled tasks can trigger non-interactive high-risk sign-in signals due to unusual IP ranges or off-hours scheduling
Users with international travel whose sessions span multiple countries — correlate with HR travel records or look for preceding interactive re-authentication events
Azure AD Identity Protection 'anomalousToken' risk detail may fire on legitimate tokens issued by older authentication library versions that produce non-standard claim structures

IBM QRadar (AQL)

sql

SELECT username as "Username", sourceip as "SourceIP", devicetime as "EventTime", UTF8(payload) as "EventDetails", CASE WHEN UTF8(payload) ILIKE '%SAML%' AND UTF8(payload) ILIKE '%forged%' THEN 100 WHEN UTF8(payload) ILIKE '%Golden SAML%' OR UTF8(payload) ILIKE '%ADFSDump%' THEN 100 WHEN UTF8(payload) ILIKE '%token%' AND UTF8(payload) ILIKE '%unusual location%' THEN 70 ELSE 55 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Microsoft Office 365', 'Microsoft Windows Security Event Log') AND (UTF8(payload) ILIKE '%SAML%' OR UTF8(payload) ILIKE '%token%' OR eventid IN (4769, 1007, 1200, 1202)) ORDER BY "RiskScore" DESC LAST 1 HOURS

high severity medium confidence

Data Sources

Microsoft Azure Active Directory Microsoft Office 365 Windows Security Event Log

Required Tables

events

False Positives

Corporate VPN users whose traffic egresses through shared or anonymized IP ranges — establish Conditional Access Named Locations for known corporate VPN egress IPs and exclude them from Branch 2
Mobile or desktop applications using OAuth token refresh flows that generate non-interactive sign-ins from changing IPs as users roam between WiFi and cellular networks — review DeviceDetail and AppDisplayName to confirm legitimate client patterns
Office 365 service accounts and automation scripts performing scheduled tasks can trigger non-interactive high-risk sign-in signals due to unusual IP ranges or off-hours scheduling
Users with international travel whose sessions span multiple countries — correlate with HR travel records or look for preceding interactive re-authentication events
Azure AD Identity Protection 'anomalousToken' risk detail may fire on legitimate tokens issued by older authentication library versions that produce non-standard claim structures

Sumo Logic CSE

sql

_sourceCategory=azure/ad/signin OR _sourceCategory=o365/audit | json auto | where error_code in ("0", "50158", "50074", "50076") or event_action matches "*SAML*" or event_source matches "*ADFS*" | if(matches(event_action, "*ADFSSecretDump*") or matches(event_action, "*Golden SAML*"), "Critical", if(matches(error_code, "0") and !matches(user_agent, "*Microsoft*"), "High", "Medium")) as RiskLevel | stats count by user_principal_name, source_ip, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Azure AD Sign-in Logs Office 365 Audit Logs

Required Tables

azure/ad/signin o365/audit

False Positives

Corporate VPN users whose traffic egresses through shared or anonymized IP ranges — establish Conditional Access Named Locations for known corporate VPN egress IPs and exclude them from Branch 2
Mobile or desktop applications using OAuth token refresh flows that generate non-interactive sign-ins from changing IPs as users roam between WiFi and cellular networks — review DeviceDetail and AppDisplayName to confirm legitimate client patterns
Office 365 service accounts and automation scripts performing scheduled tasks can trigger non-interactive high-risk sign-in signals due to unusual IP ranges or off-hours scheduling
Users with international travel whose sessions span multiple countries — correlate with HR travel records or look for preceding interactive re-authentication events
Azure AD Identity Protection 'anomalousToken' risk detail may fire on legitimate tokens issued by older authentication library versions that produce non-standard claim structures

Google Chronicle / SecOps

yaral

rule detect_forge_web_credentials {
  meta:
    author = "Argus"
    description = "Detects forged web credential usage including SAML token abuse"
    severity = "HIGH"
    technique = "T1606"
  events:
    $e.metadata.event_type = "SSO"
    $e.metadata.product_name = "Microsoft Azure Active Directory"
    (
      $e.security_result.category = "POLICY_VIOLATION" or
      re.regex($e.principal.user.user_display_name, `.`) and
      not re.regex($e.principal.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)`) 
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Azure AD Office 365 ADFS Logs

Required Tables

SSO USER_LOGIN USER_UNCATEGORIZED

False Positives

Corporate VPN users whose traffic egresses through shared or anonymized IP ranges — establish Conditional Access Named Locations for known corporate VPN egress IPs and exclude them from Branch 2
Mobile or desktop applications using OAuth token refresh flows that generate non-interactive sign-ins from changing IPs as users roam between WiFi and cellular networks — review DeviceDetail and AppDisplayName to confirm legitimate client patterns
Office 365 service accounts and automation scripts performing scheduled tasks can trigger non-interactive high-risk sign-in signals due to unusual IP ranges or off-hours scheduling
Users with international travel whose sessions span multiple countries — correlate with HR travel records or look for preceding interactive re-authentication events
Azure AD Identity Protection 'anomalousToken' risk detail may fire on legitimate tokens issued by older authentication library versions that produce non-standard claim structures

CrowdStrike LogScale (CQL)

cql

#event_simpleName=UserLogon
| AuthenticationPackage = /SAML|Kerberos|NTLM/i
| LogonType = "3"
| case {
    UserSid = "S-1-5-18" | AccountType := "System";
    RemoteIP != "" | AccountType := "RemoteLogon";
    * | AccountType := "Unknown"
  }
| stats count(UserName) as LogonCount by UserName, RemoteIP, AuthenticationPackage
| where LogonCount > 10
| table([@timestamp, UserName, RemoteIP, AuthenticationPackage, LogonCount])

high severity medium confidence

Data Sources

UserLogon (Falcon sensor)

Required Tables

UserLogon SsoApplicationActivity

False Positives

Corporate VPN users whose traffic egresses through shared or anonymized IP ranges — establish Conditional Access Named Locations for known corporate VPN egress IPs and exclude them from Branch 2
Mobile or desktop applications using OAuth token refresh flows that generate non-interactive sign-ins from changing IPs as users roam between WiFi and cellular networks — review DeviceDetail and AppDisplayName to confirm legitimate client patterns
Office 365 service accounts and automation scripts performing scheduled tasks can trigger non-interactive high-risk sign-in signals due to unusual IP ranges or off-hours scheduling
Users with international travel whose sessions span multiple countries — correlate with HR travel records or look for preceding interactive re-authentication events
Azure AD Identity Protection 'anomalousToken' risk detail may fire on legitimate tokens issued by older authentication library versions that produce non-standard claim structures

Web Cookies

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections