Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.
For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.
Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)
Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1528 | Steal Application Access Token |
Comments
This diagnostic statement provides for implementing tools and measures such as disabling users from authorizing third-party apps and forcing administrative consent for all requests that can help prevent token theft.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1528 | Steal Application Access Token |
Comments
This diagnostic statement protects against Steal Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2024-38475 | Apache HTTP Server Improper Escaping of Output Vulnerability | primary_impact | T1528 | Steal Application Access Token |
Comments
Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1528 | Steal Application Access Token |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1528 | Steal Application Access Token |
Comments
The Microsoft Sentinel Hunting "Consent to Application discovery" query can identify recent permissions granted by a user to a particular app.
References
|
| azure_key_vault | Azure Key Vault | technique_scores | T1528 | Steal Application Access Token |
Comments
This control can provide protection against attackers stealing application access tokens if they are stored within Azure Key Vault. Key vault significantly raises the bar for access for stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Key Vault and may not always be possible to utilize.
References
|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1528 | Steal Application Access Token |
Comments
This control can be used to limit the number of users that are authorized to grant consent to applications for accessing organizational data. This can reduce the likelihood that a user is fooled into granting consent to a malicious application that then utilizes the user's OAuth access token to access organizational data.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_key_management | Cloud Key Management | technique_scores | T1528 | Steal Application Access Token |
Comments
Provides protection against attackers stealing application access tokens if they are stored within Cloud KMS.
References
|
| identity_aware_proxy | Identity Aware Proxy | technique_scores | T1528 | Steal Application Access Token |
Comments
This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References
|
| identity_aware_proxy | Identity Aware Proxy | technique_scores | T1528 | Steal Application Access Token |
Comments
Control can detect potentially malicious applications
References
|
| identity_platform | Identity Platform | technique_scores | T1528 | Steal Application Access Token |
Comments
Identity Platform integrates tightly with Google Cloud services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend. This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References
|
| secret_manager | Secret Manager | technique_scores | T1528 | Steal Application Access Token |
Comments
This control can provide protection against attackers stealing application access tokens if they are stored within Secret Manager. Secret Manager significantly raises the bar for access of stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Secret Manager and may not always be possible to utilize.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_identity_and_access_management | AWS Identity and Access Management | technique_scores | T1528 | Steal Application Access Token |
Comments
This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer.
References
|
| aws_secrets_manager | AWS Secrets Manager | technique_scores | T1528 | Steal Application Access Token |
Comments
This control may prevent theft of application access tokens by replacing those tokens with authenticated and encrypted API calls to AWS Secrets Manager. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PUR-AUS-E5 | Audit Solutions | Technique Scores | T1528 | Steal Application Access Token |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Steal Application Access Token attacks due to Audit Solutions providing the visibility to allow admins to audit all cloud accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, admins can perform an audit of all OAuth applications and the permissions they have been granted to access organizational data.
License Requirements:
Microsoft 365 E3 and E5
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1528 | Steal Application Access Token |
Comments
This control can restrict user app permissions which can limit the potential for theft of application access tokens.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1528 | Steal Application Access Token |
Comments
This control can detect potentially risky apps. Relevant alerts include "Misleading publisher name for an Oauth app" and "Misleading OAuth app name".
References
|
| EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1528 | Steal Application Access Token |
Comments
This control's "Do not allow users to grant consent to unmanaged applications" recommendation can protect against an adversary constructing a malicious application designed to be granted access to resources with the target user's OAuth token by ensuring users can not be fooled into granting consent to the application.
Due to this being a recommendation, its score is capped at Partial.
References
|
| EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1528 | Steal Application Access Token |
Comments
The RBAC control can be used to implement the principle of least privilege, limiting accounts with access to application tokens. This receives a score of Partial for its ability to minimize the attack surface of accounts this ability.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| DEF-APGV-E5 | App Governance | Technique Scores | T1528 | Steal Application Access Token |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Steal Application Access Token attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.
License Requirements:
Microsoft Defender for Cloud Apps
References
|
| DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1528 | Steal Application Access Token |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
| DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1528 | Steal Application Access Token |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|