detecting-oauth-token-theft

Featured

Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra ID (Azure AD) token protection, conditional access policies, and sign-in anomaly detection. Covers access token theft, refresh token replay, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Activates for requests involving OAuth token theft detection, token replay prevention, Azure AD conditional access token protection, or cloud identity attack investigation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting OAuth Token Theft ## When to Use - Investigating alerts for impossible travel or anomalous token usage in Microsoft Entra ID - Responding to a suspected session hijacking or pass-the-cookie attack - Configuring proactive defenses against OAuth token theft in an Azure/M365 environment - Detecting OAuth device code phishing campaigns that bypass MFA - Analyzing sign-in logs for token replay indicators - Implementing Token Protection conditional access policies to bind tokens to devices **Do not use** for on-premises Kerberos ticket attacks (pass-the-ticket, golden ticket); use Active Directory-specific investigation techniques for those scenarios. ## Prerequisites - Microsoft Entra ID P2 license (required for Identity Protection risk detections and conditional access) - Global Administrator or Security Administrator role in the Entra admin center - Microsoft Defender for Cloud Apps (MDCA) license for session anomaly detection - Access to Entra ID Sign-in Logs and Audit Logs (requires Diagnostic Settings configured to Log Analytics or Sentinel) - Familiarity with OAuth 2.0 authorization flows (authorization code, device code, client credentials) - Microsoft Sentinel or equivalent SIEM ingesting Entra ID sign-in and audit logs ## Workflow ### Step 1: Understand the Token Theft Attack Surface Identify which token types are at risk and how they are stolen: ``` Token Type | Lifetime | Theft Vector | Impact ----------------------...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Azure · Cloud OAuth · Auth

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

detecting-suspicious-oauth-application-consent

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-azure-lateral-movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

detecting-azure-service-principal-abuse

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.

12,642 Updated today
mukul975
AI & Automation Featured

performing-adversary-in-the-middle-phishing-detection

Detect and respond to Adversary-in-the-Middle (AiTM) phishing attacks that use reverse proxy kits like EvilProxy, Evilginx, and Tycoon 2FA to bypass MFA and steal session tokens.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-privilege-escalation-attempts

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.

12,642 Updated today
mukul975