T1550.001 Application Access Token Mappings

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)

In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)

OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)

For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)

Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1550.001 Application Access Token
AC-17 Remote Access Protects T1550.001 Application Access Token
AC-19 Access Control for Mobile Devices Protects T1550.001 Application Access Token
AC-20 Use of External Systems Protects T1550.001 Application Access Token
CA-8 Penetration Testing Protects T1550.001 Application Access Token
CM-10 Software Usage Restrictions Protects T1550.001 Application Access Token
CM-11 User-installed Software Protects T1550.001 Application Access Token
CM-2 Baseline Configuration Protects T1550.001 Application Access Token
CM-6 Configuration Settings Protects T1550.001 Application Access Token
IA-2 Identification and Authentication (organizational Users) Protects T1550.001 Application Access Token
IA-4 Identifier Management Protects T1550.001 Application Access Token
SC-28 Protection of Information at Rest Protects T1550.001 Application Access Token
SC-8 Transmission Confidentiality and Integrity Protects T1550.001 Application Access Token
SI-12 Information Management and Retention Protects T1550.001 Application Access Token
SI-4 System Monitoring Protects T1550.001 Application Access Token
SI-7 Software, Firmware, and Information Integrity Protects T1550.001 Application Access Token
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1550.001 Use Alternate Authentication Material: Application Access Token