Overview
This lab deploys a complete detection stack for infostealer session hijacking to an existing Microsoft Sentinel workspace. Infostealers steal browser cookies and session tokens that carry MFA claims, allowing attackers to bypass authentication entirely. The detection rules focus on the behavioral anomalies that stolen token replay leaves in Entra ID non-interactive sign-in logs.
Blog post: Detecting Infostealer Session Hijacking with Microsoft Sentinel
Companion repo: j-dahl7/session-hijack-detection-sentinel
Prerequisites
| Requirement | Details |
|---|---|
| Azure subscription | With Microsoft Sentinel enabled on a Log Analytics workspace |
| Entra ID P2 | For Identity Protection risk scoring and sign-in risk signals |
| Diagnostic settings | SigninLogs and NonInteractiveUserSignInLogs routed to the workspace |
| Azure CLI | az CLI authenticated with Sentinel Contributor or equivalent role |
| PowerShell 7+ | For running deployment and simulation scripts |
Quick Start
# Clone the companion repo
git clone https://github.com/j-dahl7/session-hijack-detection-sentinel.git
cd session-hijack-detection-sentinel
# Deploy to your Sentinel workspace
./scripts/Deploy-Lab.ps1 -ResourceGroup "rg-sentinel-lab" -WorkspaceName "law-sentinel-lab"
# Run the simulation
./scripts/Test-SessionHijack.ps1
What Gets Deployed
| Resource | Type | MITRE |
|---|---|---|
| LAB - Token Replay from New Device or IP | Analytics Rule (High) | T1539, T1550.001 |
| LAB - Impossible Travel on Token Refresh | Analytics Rule (High) | T1539 |
| LAB - Anomalous Non-Interactive Sign-in Surge | Analytics Rule (Medium) | T1539, T1550.001 |
| LAB - Browser or OS Mismatch in Same Session | Analytics Rule (Medium) | T1539, T1550.001 |
| LAB - CAE Revocation Followed by New Location Auth | Analytics Rule (High) | T1539, T1550.001 |
| Session Hijack Threat Dashboard | Workbook | โ |
Test Scenarios
The Test-SessionHijack.ps1 script generates benign telemetry that triggers detection rules:
- Browser/OS fingerprint mismatch โ Graph API calls with 5 different User-Agent headers
- Non-interactive sign-in surge โ 30 rapid Graph API calls to exceed baseline
- New IP token use โ Token activity from current (potentially new) IP
- Impossible travel โ Manual step using VPN or Azure Cloud Shell from a different region
All 5 rules have been validated with real incidents. LAB - Token Replay from New Device or IP typically fires first. The surge and fingerprint rules follow with repeated simulation runs. For impossible travel, connect to a VPN in a different city and run a Graph API call. For CAE correlation, revoke sessions and re-authenticate from a different IP.
Cost Estimate
This lab deploys only analytics rules and a workbook to an existing workspace. No additional Azure resources are created. The only cost is the Sentinel analytics rule evaluation, which is negligible.
Cleanup
./scripts/Deploy-Lab.ps1 -ResourceGroup "rg-sentinel-lab" -WorkspaceName "law-sentinel-lab" -Destroy
This removes all 5 analytics rules and the workbook. Diagnostic settings are not modified.