Clixo

## Known Evilginx Redirect Patterns
index=web_proxy
 search url="*youtube.com/watch?v=dQw4w9WgXcQ*" OR url_path="*/aB12cD34*"
 stats count by src_ip, user, url
 sort - count

## Detection: Session Hijacking (Cookie used by new IP)
index=azure_logs sourcetype="am:signin"
 stats dc(ip_address) as unique_ips, values(ip_address) as ips, values(user_agent) as agents by correlation_id, user
 where unique_ips > 1
 rename correlation_id as "Session ID"
 table user, "Session ID", unique_ips, ips, agents

## Detection: Anomalous Multi-Account Sign-in from One IP
SigninLogs
 where TimeGenerated > ago(1d)
 summarize UserCount = dcount(UserPrincipalName) by IPAddress
 where UserCount > 3 // Adjust threshold based on your org size
 extend Location = LocationDetails_string
 order by UserCount desc

## Detection: Impossible Device Shift (User Agent Change)
// Find sessions where the User Agent changes mid-stream (common in Evilginx proxies)
SigninLogs
  where TimeGenerated > ago(24h)
  where ResultType == 0 // Successful sign-in
  summarize UserAgents = make_set(UserAgent), IPs = make_set(IPAddress), AppCount = dcount(AppDisplayName)
  by UserPrincipalName, CorrelationId
  where array_length(UserAgents) > 1 or array_length(IPs) > 1
  project TimeGenerated, UserPrincipalName, UserAgents, IPs, CorrelationId

## Splunk (SPL) Detections
Detection A: Okta Session Hijacking (Fingerprint Change)
This search looks for successful Okta events where the deviceToken remains the same, but the client.ipAddress or client.userAgent suddenly shifts.
Code snippet
index=okta sourcetype="OktaIM2:log" outcome.result=SUCCESS
| stats dc(client.ipAddress) as ip_count, values(client.ipAddress) as ips, dc(client.userAgent.rawUserAgent) as ua_count by authenticationContext.externalSessionId, user
| where ip_count > 1 OR ua_count > 1
| table user, authenticationContext.externalSessionId, ips, ua_count

Detection B: M365 Token Theft (New Device/Location)
Identifies a successful login where the MFA requirement was satisfied by a "Claim in the token" (meaning no actual MFA prompt happened) from an IP address the user has never used before.

## Microsoft Sentinel (KQL) Detections
Detection A: The "Impossible Travel" Session
Detects when a single session ID is used across two different IP addresses or geographic locations within a short window—a classic sign of a stolen cookie being "replayed."
Code snippet
// Detect session reuse from multiple IP addresses
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0 // Successful logins
| summarize IPCount = dcount(IPAddress), IPs = make_set(IPAddress), Locations = make_set(Location) by SessionId, UserPrincipalName
| where IPCount > 1
| project SessionId, UserPrincipalName, IPCount, IPs, Locations

## AiTM_Hunting_Queries.kql
1. Microsoft Sentinel (KQL) Detections
These queries target the Sign-in Logs and Audit Logs to find anomalies typical of a proxied session.
Detection A: The "Impossible Travel" Session
Detects when a single session ID is used across two different IP addresses or geographic locations within a short window—a classic sign of a stolen cookie being "replayed."
Code snippet
// Detect session reuse from multiple IP addresses
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0 // Successful logins
| summarize IPCount = dcount(IPAddress), IPs = make_set(IPAddress), Locations = make_set(Location) by SessionId, UserPrincipalName

## keybase.md.
### Keybase proof

I hereby claim:

  * I am clixo on github.
  * I am clixo (https://keybase.io/clixo) on keybase.
  * I have a public key ASBQjP6SfCKY78V2Yub07UzYHl9GA-4ODaoK6ymu1Wna4Ao

To claim this, I am signing this object:

## keybase.md

      
        
          
            
              
              1 file
            
          
          
            
              
              0 forks
            
          
            
              
                
                0 comments
              
            
          
            
              
              0 stars
            
          
        
        
          
              
          
          
            
                Clixo
                / keybase.md
            
            
              Created
              March 10, 2020 14:20
            
          
        
      
        

      
      
    Keybase proof

I hereby claim:

I am clixo on github.
I am clixo (https://keybase.io/clixo) on keybase.
I have a public key ASBQjP6SfCKY78V2Yub07UzYHl9GA-4ODaoK6ymu1Wna4Ao

To claim this, I am signing this object:
	index=web_proxy
	search url="youtube.com/watch?v=dQw4w9WgXcQ" OR url_path="/aB12cD34"
	stats count by src_ip, user, url
	sort - count
	SigninLogs
	where TimeGenerated > ago(1d)
	summarize UserCount = dcount(UserPrincipalName) by IPAddress
	where UserCount > 3 // Adjust threshold based on your org size
	extend Location = LocationDetails_string
	order by UserCount desc
	// Find sessions where the User Agent changes mid-stream (common in Evilginx proxies)
	SigninLogs
	where TimeGenerated > ago(24h)
	where ResultType == 0 // Successful sign-in
	summarize UserAgents = make_set(UserAgent), IPs = make_set(IPAddress), AppCount = dcount(AppDisplayName)
	by UserPrincipalName, CorrelationId
	where array_length(UserAgents) > 1 or array_length(IPs) > 1
	project TimeGenerated, UserPrincipalName, UserAgents, IPs, CorrelationId
	Detection A: Okta Session Hijacking (Fingerprint Change)
	This search looks for successful Okta events where the deviceToken remains the same, but the client.ipAddress or client.userAgent suddenly shifts.
	Code snippet
	index=okta sourcetype="OktaIM2:log" outcome.result=SUCCESS
	\| stats dc(client.ipAddress) as ip_count, values(client.ipAddress) as ips, dc(client.userAgent.rawUserAgent) as ua_count by authenticationContext.externalSessionId, user
	\| where ip_count > 1 OR ua_count > 1
	\| table user, authenticationContext.externalSessionId, ips, ua_count

	Detection B: M365 Token Theft (New Device/Location)
	Identifies a successful login where the MFA requirement was satisfied by a "Claim in the token" (meaning no actual MFA prompt happened) from an IP address the user has never used before.
	Detection A: The "Impossible Travel" Session
	Detects when a single session ID is used across two different IP addresses or geographic locations within a short window—a classic sign of a stolen cookie being "replayed."
	Code snippet
	// Detect session reuse from multiple IP addresses
	SigninLogs
	\| where TimeGenerated > ago(24h)
	\| where ResultType == 0 // Successful logins
	\| summarize IPCount = dcount(IPAddress), IPs = make_set(IPAddress), Locations = make_set(Location) by SessionId, UserPrincipalName
	\| where IPCount > 1
	\| project SessionId, UserPrincipalName, IPCount, IPs, Locations
	1. Microsoft Sentinel (KQL) Detections
	These queries target the Sign-in Logs and Audit Logs to find anomalies typical of a proxied session.
	Detection A: The "Impossible Travel" Session
	Detects when a single session ID is used across two different IP addresses or geographic locations within a short window—a classic sign of a stolen cookie being "replayed."
	Code snippet
	// Detect session reuse from multiple IP addresses
	SigninLogs
	\| where TimeGenerated > ago(24h)
	\| where ResultType == 0 // Successful logins
	\| summarize IPCount = dcount(IPAddress), IPs = make_set(IPAddress), Locations = make_set(Location) by SessionId, UserPrincipalName
	### Keybase proof

	I hereby claim:

	* I am clixo on github.
	* I am clixo (https://keybase.io/clixo) on keybase.
	* I have a public key ASBQjP6SfCKY78V2Yub07UzYHl9GA-4ODaoK6ymu1Wna4Ao

	To claim this, I am signing this object: