Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.
In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)
Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)
Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-10 | Concurrent Session Control | Protects | T1528 | Steal Application Access Token | |
| AC-02 | Account Management | Protects | T1528 | Steal Application Access Token | |
| AC-03 | Access Enforcement | Protects | T1528 | Steal Application Access Token | |
| AC-04 | Information Flow Enforcement | Protects | T1528 | Steal Application Access Token | |
| AC-05 | Separation of Duties | Protects | T1528 | Steal Application Access Token | |
| AC-06 | Least Privilege | Protects | T1528 | Steal Application Access Token | |
| CA-07 | Continuous Monitoring | Protects | T1528 | Steal Application Access Token | |
| CA-08 | Penetration Testing | Protects | T1528 | Steal Application Access Token | |
| CM-02 | Baseline Configuration | Protects | T1528 | Steal Application Access Token | |
| CM-05 | Access Restrictions for Change | Protects | T1528 | Steal Application Access Token | |
| CM-06 | Configuration Settings | Protects | T1528 | Steal Application Access Token | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1528 | Steal Application Access Token | |
| IA-04 | Identifier Management | Protects | T1528 | Steal Application Access Token | |
| IA-05 | Authenticator Management | Protects | T1528 | Steal Application Access Token | |
| IA-08 | Identification and Authentication (non-organizational Users) | Protects | T1528 | Steal Application Access Token | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1528 | Steal Application Access Token | |
| SA-11 | Developer Testing and Evaluation | Protects | T1528 | Steal Application Access Token | |
| SA-15 | Development Process, Standards, and Tools | Protects | T1528 | Steal Application Access Token | |
| SI-04 | System Monitoring | Protects | T1528 | Steal Application Access Token | |
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1528 | Steal Application Access Token |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Steal Application Access Token attacks due to Audit Solutions providing the visibility to allow admins to audit all cloud accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, admins can perform an audit of all OAuth applications and the permissions they have been granted to access organizational data.
License Requirements:
Microsoft 365 E3 and E5
References
|
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1528 | Steal Application Access Token |
Comments
The RBAC control can be used to implement the principle of least privilege, limiting accounts with access to application tokens. This receives a score of Partial for its ability to minimize the attack surface of accounts this ability.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| DEF-SIM-E5 | ATT&CK Simulation Training | Technique Scores | T1528 | Steal Application Access Token |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
| DEF-SIM-E5 | ATT&CK Simulation Training | Technique Scores | T1528 | Steal Application Access Token |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
| DO365-AG-E5 | App Governance | Technique Scores | T1528 | Steal Application Access Token |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Steal Application Access Token attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.
License Requirements:
Microsoft Defender for Cloud Apps
References
|