Which SIEM platforms have a THREAT-EntraID-TokenTheft detection rule?

df00tech provides THREAT-EntraID-TokenTheft (Microsoft Entra ID Session Token Theft and Replay) detection queries for 3 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL).

What severity and confidence is the THREAT-EntraID-TokenTheft detection?

The THREAT-EntraID-TokenTheft detection is rated critical severity with high confidence.

What are common false positives for THREAT-EntraID-TokenTheft?

Common false positives for THREAT-EntraID-TokenTheft include: Users legitimately travelling who sign in from airports, hotels, or multiple mobile data providers within a short window; Shared accounts used by multiple team members from different locations (should be eliminated as an SMB practice); VPN use that changes apparent location between sign-ins (user connects to VPN on second sign-in but not first).

THREAT-EntraID-TokenTheft Elastic Security · Elastic

Detect Microsoft Entra ID Session Token Theft and Replay in Elastic Security

Q: What data sources are required to detect Microsoft Entra ID Session Token Theft and Replay (THREAT-EntraID-TokenTheft)?

Detecting Microsoft Entra ID Session Token Theft and Replay requires the following data sources: Azure AD Sign-In Logs (AADSignInLogs), Azure AD Identity Protection (AADRiskyUsers, AADUserRiskEvents), Microsoft 365 Defender Advanced Hunting.

Session token theft (also called token replay or pass-the-cookie) is one of the most prevalent identity attacks targeting Microsoft 365 and Entra ID in 2025-2026. Adversaries use adversary-in-the-middle (AiTM) proxy frameworks (Evilginx2, Modlishka, Muraena, Tycoon 2FA, EvilProxy) to intercept valid session cookies from M365 sign-in flows, then replay those cookies to authenticate as the victim without needing their credentials or MFA code. The attack works because Microsoft's authentication cookies are bound to the browser session but not to the originating IP — replaying the cookie from a different IP is detected by Entra ID's risk engine but is not blocked by default. Scattered Spider and Storm-0539 are documented using this technique at scale against SMBs and mid-market organisations, primarily targeting financial fraud (payment diversion, payroll fraud) and IT admin compromise to then facilitate SIM swapping.

MITRE ATT&CK

Tactic: Credential Access Defense Evasion

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by user.name with maxspan=1h
  [authentication where event.dataset == "azure.signinlogs" and
   event.outcome == "success" and
   azure.signinlogs.properties.authentication_requirement != "multiFactorAuthentication"] as e1
  [authentication where event.dataset == "azure.signinlogs" and
   event.outcome == "success" and
   source.ip != e1.source.ip and
   geo.country_name != e1.geo.country_name]

critical severity high confidence

EQL sequence detecting session token replay: two successful sign-ins within 1 hour where (a) first lacks MFA and (b) second is from a different IP and country — signature of AiTM proxy token theft.

Data Sources

Elastic Azure AD integration

Required Tables

logs-azure.signinlogs-*

False Positives & Tuning

Multi-location users
VPN users

Download portable Sigma rule (.yml)

Other platforms for THREAT-EntraID-TokenTheft

Microsoft Sentinel (KQL) Splunk (SPL) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Session Cookie Replay using Evilginx2 Captured Cookie
Expected signal: Azure AD Sign-in logs record a session established from the test IP without MFA, using the replayed cookie. Entra ID Identity Protection may generate an 'Unfamiliar sign-in properties' risk event.

Last updated: 2026-04-22 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-EntraID-TokenTheft including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1539Steal Web Session Cookie

Related Techniques

T1539Steal Web Session Cookie T1557.002ARP Cache Poisoning T1566.002Spearphishing Link T1114.002Remote Email Collection T1078.004Cloud Accounts

Detect Microsoft Entra ID Session Token Theft and Replay in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for THREAT-EntraID-TokenTheft

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for THREAT-EntraID-TokenTheft

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox