Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.
Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)
Adversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_aware_proxy | Identity Aware Proxy | technique_scores | T1528 | Steal Application Access Token |
Comments
This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References
|
| identity_aware_proxy | Identity Aware Proxy | technique_scores | T1528 | Steal Application Access Token |
Comments
Control can detect potentially malicious applications
References
|
| identityplatform | IdentityPlatform | technique_scores | T1528 | Steal Application Access Token |
Comments
Identity Platform integrates tightly with Google Cloud services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend. This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References
|
| cloud_key_management | Cloud Key Management | technique_scores | T1528 | Steal Application Access Token |
Comments
Provides protection against attackers stealing application access tokens if they are stored within Cloud KMS.
References
|
| secret_manager | Secret Manager | technique_scores | T1528 | Steal Application Access Token |
Comments
This control can provide protection against attackers stealing application access tokens if they are stored within Secret Manager. Secret Manager significantly raises the bar for access of stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Secret Manager and may not always be possible to utilize.
References
|