EXPLORE
Sign In
← Back to Explore
T1528

Steal Application Access Token

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containeriz...

ContainersIaaSIdentity ProviderOffice SuiteSaaS
47
Detections
4
Sources
2
Threat Actors

BY SOURCE

24elastic14sigma8splunk_escu1crowdstrike_cql

PROCEDURES (34)

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Azure2 detections

Auto-extracted: 2 detections for azure

Powershell2 detections

Auto-extracted: 2 detections for powershell

Oauth2 detections

Auto-extracted: 2 detections for oauth

Api2 detections

Auto-extracted: 2 detections for api

Token1 detections

Auto-extracted: 1 detections for token

Token1 detections

Auto-extracted: 1 detections for token

Lateral1 detections

Auto-extracted: 1 detections for lateral

Azure1 detections

Auto-extracted: 1 detections for azure

Token1 detections

Auto-extracted: 1 detections for token

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Oauth1 detections

Auto-extracted: 1 detections for oauth

Phish1 detections

Auto-extracted: 1 detections for phish

Service1 detections

Auto-extracted: 1 detections for service

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Phish1 detections

Auto-extracted: 1 detections for phish

Privilege1 detections

Auto-extracted: 1 detections for privilege

Token1 detections

Auto-extracted: 1 detections for token

Api1 detections

Auto-extracted: 1 detections for api

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Aws1 detections

Auto-extracted: 1 detections for aws

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Azure1 detections

Auto-extracted: 1 detections for azure

Api1 detections

Auto-extracted: 1 detections for api

Oauth1 detections

Auto-extracted: 1 detections for oauth

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Aws1 detections

Auto-extracted: 1 detections for aws

THREAT ACTORS (2)

APT28APT29

DETECTIONS (47)

Anomalous Token
sigmahigh
Anonymous IP Address
sigmahigh
App Granted Microsoft Permissions
sigmahigh
Application URI Configuration Changes
sigmahigh
Azure AD Device Code Authentication
splunk_escu
Azure AD OAuth Application Consent Granted By User
splunk_escu
Azure AD User Consent Blocked for Risky Application
splunk_escu
Azure AD User Consent Denied for OAuth Application
splunk_escu
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
elasticmedium
Delegated Permissions Granted For All Users
sigmahigh
End User Consent
sigmalow
End User Consent Blocked
sigmamedium
Entra ID Concurrent Sign-in with Suspicious Properties
elastichigh
Entra ID Illicit Consent Grant via Registered Application
elasticmedium
Entra ID Kali365 Default User-Agent Detected
elastichigh
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
elasticmedium
Entra ID OAuth Device Code Flow with Concurrent Sign-ins
elastichigh
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
elastichigh
Entra ID OAuth Phishing via First-Party Microsoft Application
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID User Added as Registered Application Owner
elasticlow
Entra ID User Sign-in with Unusual Client
elasticmedium
GitHub Authentication Token Access via Node.js
elasticmedium
Google Workspace User Login with Unusual ASN
elasticlow
HackTool - Koh Default Named Pipe
sigmacritical
Kubernetes and Cloud Credential Path Access via Process Arguments
elastichigh
Kubernetes Service Account Secret Access
elasticmedium
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
elastichigh
M365 Identity OAuth Flow by User Sign-in to Device Registration
elastichigh
M365 Identity OAuth Illicit Consent Grant by Rare Client and User
elasticmedium
M365 Identity Unusual SSO Authentication Errors for User
elasticmedium
Microsoft Graph Request User Impersonation by Unusual Client
elasticlow
Microsoft Teams Sensitive File Access By Uncommon Applications
sigmamedium
Multi-Cloud CLI Token and Credential Access Commands
elastichigh
New GitHub Personal Access Token (PAT) Added
elasticlow
O365 File Permissioned Application Consent Granted by User
splunk_escu
O365 Mail Permissioned Application Consent Granted by User
splunk_escu
O365 User Consent Blocked for Risky Application
splunk_escu
O365 User Consent Denied for OAuth Application
splunk_escu
OAuth2 Token Burst — Token Harvesting (Microsoft Defender for Identity)
crowdstrike_cql
Potential Impersonation Attempt via Kubectl
elasticmedium
Potentially Suspicious Command Targeting Teams Sensitive Files
sigmamedium
Potentially Suspicious JWT Token Search Via CLI
sigmamedium
Primary Refresh Token Access Attempt
sigmahigh
Renamed BrowserCore.EXE Execution
sigmahigh
Service Account Token or Certificate Access Followed by Kubernetes API Request
elasticmedium
Suspicious Teams Application Related ObjectAcess Event
sigmahigh