Unusual modifications to Active Directory STS refresh tokens by non-DirectorySync service principals may indicate adversary attempts to compromise authentication mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential credential theft or persistence tactics used by advanced threats.
KQL Query
CloudAppEvents
| where ActionType == "Update StsRefreshTokenValidFrom Timestamp."
| where RawEventData !has "Directorysync"
| extend displayName = RawEventData.ModifiedProperties[0].Name
| where displayName == "StsRefreshTokensValidFrom"
| extend oldValue = RawEventData.ModifiedProperties[0].OldValue
| extend newValue = RawEventData.ModifiedProperties[0].NewValue
| extend oldStsRefreshValidFrom = todatetime(parse_json(tostring(oldValue))[0])
| extend newStsRefreshValidFrom = todatetime(parse_json(tostring(newValue))[0])
| extend tokenMinutesAdded = datetime_diff('minute',newStsRefreshValidFrom,oldStsRefreshValidFrom)
| extend tokenMinutesRemaining = datetime_diff('minute',Timestamp,newStsRefreshValidFrom)
| extend Role = parse_json(RawEventData.Actor[-1]).ID
| distinct AccountObjectId, AccountDisplayName, tostring(Role), IPAddress, IsAnonymousProxy, ISP, tokenMinutesAdded, tokenMinutesRemaining
id: 634dfbd6-0a42-40da-854e-2161cf137f14
name: UpdateStsRefreshToken[Solorigate]
description: |
This will show Active Directory Security Token Service (STS) refresh token modifications by Service Principals and Applications other than DirectorySync. Refresh tokens are used to validate identification and obtain access tokens. This event is most often generated when legitimate administrators troubleshoot frequent Entra ID user sign-ins but may also be generated as a result of malicious token extensions. Confirm that the activity is related to an administrator legitimately modifying STS refresh tokens and check the new token validation time period for high values.
Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/StsRefreshTokenModification.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Defense evasion
tags:
- Solorigate
query: |
CloudAppEvents
| where ActionType == "Update StsRefreshTokenValidFrom Timestamp."
| where RawEventData !has "Directorysync"
| extend displayName = RawEventData.ModifiedProperties[0].Name
| where displayName == "StsRefreshTokensValidFrom"
| extend oldValue = RawEventData.ModifiedProperties[0].OldValue
| extend newValue = RawEventData.ModifiedProperties[0].NewValue
| extend oldStsRefreshValidFrom = todatetime(parse_json(tostring(oldValue))[0])
| extend newStsRefreshValidFrom = todatetime(parse_json(tostring(newValue))[0])
| extend tokenMinutesAdded = datetime_diff('minute',newStsRefreshValidFrom,oldStsRefreshValidFrom)
| extend tokenMinutesRemaining = datetime_diff('minute',Timestamp,newStsRefreshValidFrom)
| extend Role = parse_json(RawEventData.Actor[-1]).ID
| distinct AccountObjectId, AccountDisplayName, tostring(Role), IPAddress, IsAnonymousProxy, ISP, tokenMinutesAdded, tokenMinutesRemaining
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for Token Refresh
Description: A legitimate scheduled job (e.g., Azure AD Connect or Microsoft Identity Manager) runs periodically to refresh tokens.
Filter/Exclusion: EventID == 4738 (Security Token Service refresh) AND SubjectUserName == "ADConnectServiceAccount" OR EventID == 4738 AND LogonType == 3 (Interactive logon)
Scenario: Administrative Task: Resetting Passwords via Azure AD Password Reset Tool
Description: An admin uses the Azure AD Password Reset Tool to reset a user’s password, which may trigger a refresh token update.
Filter/Exclusion: EventID == 4738 AND SubjectUserName == "AdminUser" OR EventID == 4738 AND LogonProcessName == "AzureADPasswordReset.exe"
Scenario: Service Principal Maintenance via Azure Portal
Description: An admin manually updates a service principal configuration in the Azure Portal, which may result in a refresh token change.
Filter/Exclusion: EventID == 4738 AND SubjectUserName == "AdminUser" OR EventID == 4738 AND LogonType == 10 (Service logon)
Scenario: Automated Token Sync via Azure AD Connect Health
Description: The Azure AD Connect Health service performs automated token synchronization, which can cause refresh token modifications.
Filter/Exclusion: EventID == 4738 AND LogonProcessName == "AzureADConnectHealth.exe" OR EventID == 4738 AND LogonType == 10
Scenario: **Third-