Microsoft Sentinel SOC 101: How to Detect and Mitigate Session Token Stealing Attacks with Microsoft Sentinel
Burglar McToken
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
Session token stealing is a type of attack where an attacker obtains the session token of a legitimate user and uses it to impersonate them on a web application. Session tokens are usually stored in cookies or local storage and are used to authenticate users without requiring them to enter their credentials every time they access the web application. Session token stealing can lead to unauthorized access, data theft, account takeover, and other malicious activities.
How does it happen?
There are various ways that an attacker can steal session tokens, such as:
Cross-site scripting (XSS): The attacker injects malicious code into the web application that executes in the browser of the victim and sends the session token to the attacker’s server.
Cross-site request forgery (CSRF): The attacker tricks the victim into visiting a malicious website that sends a forged request to the web application with the victim’s session token.
Man-in-the-middle (MITM): The attacker intercepts the network traffic between the victim and the web application and captures the session token.
Phishing: The attacker sends a fake email or message to the victim that lures them to click on a malicious link or attachment that steals the session token.
Malware: The attacker infects the victim’s device with malware that monitors the browser activity and steals the session token.
Detection and Mitigation
To detect and mitigate session token stealing attacks, Microsoft Sentinel provides a comprehensive solution that leverages advanced analytics, threat intelligence, and automation. Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that collects, analyzes, and responds to security data from various sources, such as Azure, Office 365, Windows, Linux, network devices, firewalls, and third-party applications.
One possible way to write a KQL query for Microsoft Sentinel that detects Session Token Stealing is:
// Define the time range and the threshold for the number of sessions per user
let starttime = 7d;
let endtime = now();
let session_threshold = 10;
// Get the sign-in events from Azure Active Directory
let signin_events = SigninLogs
| where TimeGenerated between (starttime .. endtime)
| where ResultType == 0 // successful sign-ins only
| project TimeGenerated, UserPrincipalName, IPAddress, SessionId;
// Get the cloud app events from Microsoft Cloud App Security
let cloudapp_events = CloudAppEvents
| where TimeGenerated between (starttime .. endtime)
| project TimeGenerated, UserPrincipalName, IPAddress, SessionId;
// Join the sign-in events and the cloud app events by user principal name and session id
let joined_events = signin_events
| join kind=inner cloudapp_events on UserPrincipalName, SessionId
| project TimeGenerated, UserPrincipalName, IPAddress, SessionId;
// Group the events by user principal name and session id, and count the number of distinct IP addresses per session
let session_stats = joined_events
| summarize IPCount = dcount(IPAddress) by UserPrincipalName, SessionId
| project UserPrincipalName, SessionId, IPCount;
// Find the sessions that have more than one IP address associated with them
let multi_ip_sessions = session_stats
| where IPCount > 1
| project UserPrincipalName, SessionId;
// Find the users that have more than the threshold number of sessions with multiple IP addresses
let suspicious_users = multi_ip_sessions
| summarize SessionCount = count() by UserPrincipalName
| where SessionCount > session_threshold
| project UserPrincipalName;
// Return the suspicious users and their sessions with multiple IP addresses
suspicious_users
| join kind=inner multi_ip_sessions on UserPrincipalName
| join kind=inner session_stats on UserPrincipalName, SessionId
| project UserPrincipalName, SessionId, IPCount;
This query is based on the idea that a session token stealing attack would result in multiple IP addresses being used for the same session id. The query looks for users who have a high number of sessions with more than one IP address associated with them. This could indicate that their session tokens have been stolen and used by attackers from different locations.
The query uses data from two sources: Azure Active Directory sign-in logs and Microsoft Cloud App Security events. These sources provide information about the user principal name, the IP address, and the session id for each sign-in and cloud app activity. The query joins these data sources by user principal name and session id, and then groups them by user principal name and session id to count the number of distinct IP addresses per session. The query then filters out the sessions that have only one IP address associated with them and counts the number of sessions with multiple IP addresses per user. Finally, the query returns the users who have more than a specified threshold of sessions with multiple IP addresses, along with their session ids and IP counts.
This query is just an example of how to write a KQL query for Microsoft Sentinel that detects Session Token Stealing. It may not cover all possible scenarios or edge cases, and it may need to be adjusted or refined based on the specific environment and data sources.
To mitigate session token stealing, you can follow these steps:
Use HTTPS encryption for your entire web site. This will prevent attackers from sniffing the session tokens in transit.
Use secure cookies and local storage items. This will prevent attackers from accessing the session tokens from the browser’s storage.
Use short-lived session tokens and expire them after a period of inactivity. This will limit the window of opportunity for attackers to use stolen session tokens.
Use strong passwords and multifactor authentication. This will protect your accounts from being accessed by attackers if they manage to steal your session tokens.
Only share session tokens with trusted sources. Be careful when sharing links or sending requests to websites, as these may include your session tokens.
Use a VPN or a proxy to hide your IP address. This will make it harder for attackers to identify your location and target you for session token stealing.
Microsoft Sentinel Features
Some of the features of Microsoft Sentinel that can help detect and mitigate session token stealing attacks are:
Data connectors: Microsoft Sentinel provides data connectors for various sources that can provide relevant information about session token stealing attacks, such as Azure Active Directory (AAD), Azure Web Application Firewall (WAF), Azure Application Gateway, Azure Monitor, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, Office 365, and more. These data connectors enable Microsoft Sentinel to ingest security logs and events from these sources and enrich them with contextual information.
Analytics rules: Microsoft Sentinel provides analytics rules that can detect suspicious or anomalous activities related to session token stealing attacks, such as multiple login attempts from different locations or devices, login failures followed by successful logins, unusual user-agent strings or browser versions, abnormal user behavior or activity patterns, and more. These analytics rules can generate alerts and incidents that can be investigated and resolved by security analysts.
Workbooks: Microsoft Sentinel provides workbooks that can visualize and analyze security data related to session token stealing attacks, such as user login history, user activity timeline, user location map, user device inventory, user risk score, user account status, and more. These workbooks can help security analysts gain insights and identify trends and patterns related to session token stealing attacks.
Hunting queries: Microsoft Sentinel provides hunting queries that can search for indicators of compromise (IOCs) or evidence of session token stealing attacks across different data sources, such as session tokens, cookies, local storage items, HTTP headers, HTTP requests and responses, network traffic, DNS queries, process executions, file creations and modifications, registry changes, and more. These hunting queries can help security analysts proactively hunt for threats and discover unknown or hidden session token stealing attacks.
Playbooks: Microsoft Sentinel provides playbooks that can automate responses and actions to session token stealing attacks, such as notifying users or administrators, resetting passwords or session tokens, blocking IP addresses or devices, revoking permissions or access rights, quarantining files or processes, creating tickets or tasks, and more. These playbooks can help security analysts reduce manual efforts and save time and resources.
By using Microsoft Sentinel’s features and capabilities, security teams can effectively detect and mitigate session token stealing attacks and protect their web applications and users from unauthorized access and data theft. Microsoft Sentinel is a scalable, flexible, and cost-effective solution that can help security teams improve their security posture and resilience against session token stealing attacks.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]