Azure AD Alert Details
Alert ID: AAD-TOKEN-FORGE-1606-7842 Alert Time: 2024-02-22 14:15:33 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection Rule: “Suspicious Token Usage – Anomaly Detected” MITRE ATT&CK: T1606.002 – Forge Web Credentials: SAML Tokens
Alert Details:
Detection: Suspicious SAML token usage from untrusted location
User: kwilson@company.com (Karen Wilson – Finance Manager) Time: 14:10 EST
Token Details:
Token Type: SAML (Security Assertion Markup Language)
Issuer: company.com (legitimate)
Audience: https://portal.company.com
Issue Time: 14:05 EST
Expiration Time: 14:35 EST (30 minutes)
Claims: User=kwilson, Role=FinanceAdmin, MFA=True
Usage Details:
First Usage: 14:10 EST from IP 45.134.225[.]78 (Bulgaria)
Second Usage: 14:11 EST from IP 185.143.221[.]89 (Bulgaria)
Third Usage: 14:12 EST from IP 194.165.16[.]89 (Romania)
Fourth Usage: 14:13 EST from IP 192.168.45.78 (internal – engineering host)
Anomaly Detection:
Token created at 14:05 from legitimate user location (New York)
Token used from Bulgaria 5 minutes later (impossible travel)
Token used from 4 different IPs in 4 minutes (impossible for single user)
Token claims include MFA=True, but no MFA challenge at time of use
Pattern matches SAML token theft and replay
Additional Context:
User kwilson reported “strange login notifications” at 14:05
User did NOT log in at that time
Token likely stolen from browser session or intercepted
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD alert
Azure AD Identity Protection
Confirmed SAML token replay attack
2. Immediate Action
Revoke all user tokens
Azure AD PowerShell
All tokens for kwilson revoked
3. User Session Termination
Force logout all sessions
Azure AD
User logged out everywhere
4. Password Reset
Reset user password
Azure AD
Password reset; MFA re-enrolled
5. Investigation
Determine token source
Browser History, EDR
Token stolen via malicious browser extension
6. Host Remediation
Clean infected workstation
CrowdStrike
Malicious extension removed
Jira Incident Report
Ticket: SOC-2024-112 Summary: T1606 – SAML Token Theft and Replay Attack Status: RESOLVED Resolution: MALICIOUS – Tokens Revoked Priority: P1 – CRITICAL Labels: T1606, forge-web-credentials, saml-token, token-theft, azure-ad Components: Identity-Management, Cloud-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection.
Alert: “Suspicious Token Usage – Anomaly Detected”.
User: kwilson@company.com (Finance Manager).
Time: 2024-02-22 14:15 EST.
Technique: MITRE ATT&CK T1606.002 – Forge Web Credentials: SAML Tokens.
2. Technical Analysis:
Attack Chain:
13:45 – User visits compromised website (finance blog)
13:46 – Site contains malicious browser extension installer (drive-by)
13:47 – Extension installed without user knowledge
13:48 – Extension monitors browser traffic
14:05 – User logs into company portal legitimately
14:05 – SAML token issued (valid 30 minutes)
14:05 – Extension steals token from browser storage
14:06 – Token exfiltrated to attacker C2
14:10-14:13 – Attacker replays token from multiple IPs
14:15 – Azure AD detects anomalous usage
Token Replay Details:
IP 45.134.225[.]78: Accessed financial reports (read-only)
IP 185.143.221[.]89: Accessed vendor payment portal
IP 194.165.16[.]89: Attempted wire transfer (blocked – required second approver)
IP 192.168.45.78: Accessed internal wiki (reconnaissance)
Malicious Browser Extension:
Name: “Google Docs Offline Helper” (masquerading)
Permissions: Read all data on websites
Behavior: Exfiltrates tokens, cookies, session data
Source: Chrome Web Store (removed after report)
User Activity:
User reported “strange login notifications” at 14:05
Did not authorize any logins from unusual locations
3. Investigation Findings:
Timeline:
13:45-13:48 – Extension installed
14:05 – Legitimate login, token stolen
14:06 – Token exfiltrated
14:10-14:13 – Attacker activity
14:15 – Alert triggers
14:17 – SOC investigates
14:18 – All tokens revoked
14:19 – User forced logout
Attacker Activity Assessment:
Viewed 3 financial reports (no sensitive data)
Accessed vendor payment portal (no transactions)
Attempted wire transfer (blocked by dual control)
No data downloaded
Indicators of Compromise (IoCs):
Network:
– Attacker IPs: 45.134.225[.]78, 185.143.221[.]89, 194.165.16[.]89, 192.168.45.78
Browser Extension:
– Name: “Google Docs Offline Helper”
– ID: gdoc-helper-12345
Token:
– SAML token for kwilson (now revoked)
4. Containment Actions:
Immediate Actions:
Revoked all active tokens for kwilson.
Force logout from all applications.
Reset user password.
Re-enrolled MFA.
Host Remediation:
Removed malicious browser extension.
Cleared browser cache and cookies.
Full scan (no other malware).
Application Review:
Checked financial systems for unauthorized transactions (none).
Reviewed vendor payment logs (none).
5. Root Cause Analysis:
Primary Cause: User installed malicious browser extension.
Contributing Factors:
Extension allowed excessive permissions.
No extension allowlist/blocklist in place.
User unaware of extension risks.
6. Business Impact:
Operational Impact: Finance manager offline for 2 hours.
Financial Impact: None (wire transfer blocked).
Data Exposure: 3 financial reports viewed; no exfiltration.
7. Remediation & Prevention:
Completed Actions:
Tokens revoked.
Extension removed.
User educated.
Attacker blocked.
Technical Controls Enhanced:
Implemented Chrome extension allowlist (only approved extensions).
Enabled token binding (where supported).
Enhanced Azure AD token protection (conditional access policies).
Deployed browser isolation for high-risk users.
8. Conclusion:
An attacker used a malicious browser extension to steal a SAML token from a Finance manager and replay it from multiple locations. Azure AD detected the anomalous token usage within minutes. All tokens were revoked before significant damage occurred.
Closure Rationale: Tokens revoked; extension removed; user secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 15:30 EST