This article, and its accompanying decision tree, provide guidance for security analysts and incident responders to identify and investigate token theft attacks in an organization.
This article provides guidance for security analysts and incident responders to identify and investigate token theft attacks in an organization. Token theft occurs when threat actors compromise and replay tokens issued to a user, even if that user has satisfied multifactor authentication. To investigate and contain the damage resulting from token theft attacks, security analysts and incident responders must have access to the Microsoft Entra ID (formerly Azure AD) sign in and audit logs for users and service principals, and an account with one of the following Microsoft Entra roles assigned: Security Administrator, Global Administrator, Security Reader, Global Reader, or Security Operator.
It is recommended to enable the advanced hunting feature and access to the last seven days of event data, connect Office 365 to Microsoft Defender for Cloud Apps, access the Unified Access Log for additional signals, and use a managed authentication configuration with password hash synchronization (PHS). Additionally, configure a SIEM to ingest risk events for sign-in logs and audit logs, and integrate a SIEM with Microsoft Defender for Cloud Apps.
The investigation checklist includes determining anomalies or unusual activity for identities, sign-in logs, audit logs, Office apps, and devices associated with affected users. Evidence of compromise or token-theft is confirmed by user confirmation. The user investigation checklist includes investigating logs that have user behavior, privileged account changes, inbox rules creation, and compromised users. If there is indication of phishing or other malicious email, Microsoft 365 Defender can be used to investigate and determine other affected users.
The attacker IP address or user agent string authentications can be investigated using queries in Sentinel. Additionally, Log Analytics or Sentinel can be used to discover questionable identities and anomalies. Finally, activity in CloudAppEvents tables in Microsoft 365 Defender can be used to investigate token theft attempts.
Once malicious or compromised user, device, application(s), or workload identities are identified, it is important to take actions to contain the attacker. This includes changing the password, blocking the user, blocking the attacker IP address, enabling MFA, and enabling Microsoft Entra ID Protection. It is also important to determine the security and business effects of disabling user or device accounts.
After investigation and containment, the next step is to remediate the damage. This includes disabling affected user and device accounts, revoking current tokens, resetting passwords, disabling added credentials and/or devices, remediating infected devices, disabling suspicious email rules, and rolling back changes made by compromised privileged accounts. It is also important to delete added credentials and devices, and to
📓 Token theft playbook
👉🏽 This article, and its accompanying decision tree, provide guidance for security analysts and incident responders to identify and investigate token theft attacks in an organization. 👉🏽 Guide security analysts and incident responders in identifying and investigating token theft attacks. 👉🏽 Highlight the occurrence of token theft when threat actors compromise and replay tokens. 👉🏽 Emphasize the importance of accessing Microsoft Entra ID sign-in and audit logs. 👉🏽 Recommend enabling advanced hunting and accessing the last seven days of event data. 👉🏽 Suggest connecting Office 365 to Microsoft Defender for Cloud Apps for additional security. 👉🏽 Advise using a managed authentication configuration with password hash synchronization. 👉🏽 Recommend configuring a SIEM to ingest risk events and integrate with Microsoft Defender for Cloud Apps. 👉🏽 Outline the investigation checklist for identifying anomalies and unusual activity. 👉🏽 Explain the use of user behavior logs and privileged account changes in confirming compromise. 👉🏽 Provide actions for containment, remediation, and mitigation of token theft attacks.
#TokenTheft #SecurityInvestigation #IdentityProtection #ContainmentActions #DamageRemediation