This note documents detection patterns related to MFA Bypass / Token Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Critical | Successful session after unusual token usage or MFA bypass. |
| Security | 4648 | Explicit credentials used | Critical | Alternate credentials often precede token replay. |
| Security | 4672 | Special privileges assigned | Critical | Elevated token attached to suspicious login. |
| Security | 4768 | Kerberos TGT requested | High | Authentication chain start in domain environments. |
| Security | 4769 | Kerberos service ticket requested | High | Service access following token abuse. |
| Sysmon | 1 | Process creation | Critical | Token manipulation tooling execution. |
| Security | 4688 | Process creation | High | Detects runas, token theft utilities, browser token abuse helpers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| MFA-protected account logs in from unusual host | Session without expected user flow | Critical | Strong bypass clue. |
| Token replay after initial valid login | Same identity appears elsewhere quickly | Critical | Session theft indicator. |
| Elevated session without interactive chain | Missing expected user logon | Critical | Token misuse signal. |
| Explicit creds + privileged action | 4648 before admin action | Critical | Common operator chain. |
| Browser token theft followed by cloud access | Session continuity anomaly | High | Modern enterprise pattern. |
| Short-lived privileged session | Burst admin activity then exit | High | Strong attacker behavior. |
Common Tools
| Tool | Usage |
|---|---|
| runas.exe | Alternate token use |
| mimikatz | Token manipulation / pass-the-ticket |
| Rubeus | Ticket/token abuse |
| browser token stealers | Session replay |
| PowerShell | Token impersonation helpers |
Relevant Artifacts
- Security Event IDs 4624, 4648, 4672, 4768, 4769
- Security Event ID 4688
- Sysmon Event ID 1
- Logon type correlation
- LUID correlation
- Browser session artifacts
- EDR identity timeline
MITRE ATT&CK References
- T1550 Use Alternate Authentication Material
- T1134 Access Token Manipulation
- T1078 Valid Accounts
Decision Tree
-
Which account involved?
- User
- Admin
- Service
-
MFA expected?
- Yes
- No
-
Session origin expected?
- Known host
- New host
-
Privileged action follows?
- Yes
- No
-
Expand:
- Token source
- Browser artifacts
- Adjacent auth events
-
Scope:
- Single replay
- Multi-session abuse
- Cloud + host overlap
Example Detection Templates
KQL
SecurityEvent
| where EventID in (4624,4648,4672)
| project TimeGenerated, Computer, Account, IpAddress, LogonType, EventID
SecurityEvent
| where EventID == 4648
| project TimeGenerated, Computer, Account, ProcessName
EQL
authentication where event.code in ("4624","4648","4672")
sequence by user.name with maxspan=10m
[ authentication where event.code == "4648" ]
[ authentication where event.code == "4624" ]
Sigma
title: MFA Bypass Token Abuse Detection
id: 2a7f4b61-mfa-token-abuse
status: experimental
description: Detects suspicious authentication patterns associated with token abuse
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4648
- 4672
condition: selection
fields:
- EventID
- Account
- ProcessName
falsepositives:
- Administrative use
level: high
tags:
- attack.credential_access
- attack.t1550
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Conditional access | Restrict unusual session origin | Critical | Strong MFA support |
| Token lifetime controls | Reduce replay window | High | Limits abuse |
| Alert on 4648 + privilege | Strong signal | Critical | High-value chain |
| Session analytics | Detect impossible travel / overlap | High | Strong cloud-host correlation |
| Protect browser tokens | Harden session stores | High | Modern requirement |