T1528 Steal Application Access Token

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.

For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.

Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)

Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.CM-01.05 Website and service blocking Mitigates T1528 Steal Application Access Token
Comments
This diagnostic statement provides for implementing tools and measures such as disabling users from authorizing third-party apps and forcing administrative consent for all requests that can help prevent token theft.
References
    PR.AA-01.01 Identity and credential management Mitigates T1528 Steal Application Access Token
    Comments
    This diagnostic statement protects against Steal Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CA-07 Continuous Monitoring mitigates T1528 Steal Application Access Token
      CM-06 Configuration Settings mitigates T1528 Steal Application Access Token
      CM-05 Access Restrictions for Change mitigates T1528 Steal Application Access Token
      IA-05 Authenticator Management mitigates T1528 Steal Application Access Token
      IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1528 Steal Application Access Token
      IA-13 Identity Providers and Authorization Servers mitigates T1528 Steal Application Access Token
      SA-15 Development Process, Standards, and Tools mitigates T1528 Steal Application Access Token
      IA-04 Identifier Management mitigates T1528 Steal Application Access Token
      RA-05 Vulnerability Monitoring and Scanning mitigates T1528 Steal Application Access Token
      CM-02 Baseline Configuration mitigates T1528 Steal Application Access Token
      CM-02 Baseline Configuration mitigates T1528 Steal Application Access Token
      SA-11 Developer Testing and Evaluation mitigates T1528 Steal Application Access Token
      IA-02 Identification and Authentication (Organizational Users) mitigates T1528 Steal Application Access Token
      SI-04 System Monitoring mitigates T1528 Steal Application Access Token
      AC-10 Concurrent Session Control mitigates T1528 Steal Application Access Token
      AC-02 Account Management mitigates T1528 Steal Application Access Token
      AC-03 Access Enforcement mitigates T1528 Steal Application Access Token
      AC-04 Information Flow Enforcement mitigates T1528 Steal Application Access Token
      AC-05 Separation of Duties mitigates T1528 Steal Application Access Token
      AC-06 Least Privilege mitigates T1528 Steal Application Access Token

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.malware.variety.Capture app data Capture data from application or system process related-to T1528 Steal Application Access Token

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      microsoft_sentinel Microsoft Sentinel technique_scores T1528 Steal Application Access Token
      Comments
      The Microsoft Sentinel Hunting "Consent to Application discovery" query can identify recent permissions granted by a user to a particular app.
      References
      azure_key_vault Azure Key Vault technique_scores T1528 Steal Application Access Token
      Comments
      This control can provide protection against attackers stealing application access tokens if they are stored within Azure Key Vault. Key vault significantly raises the bar for access for stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Key Vault and may not always be possible to utilize.
      References
      azure_role_based_access_control Azure Role-Based Access Control technique_scores T1528 Steal Application Access Token
      Comments
      This control can be used to limit the number of users that are authorized to grant consent to applications for accessing organizational data. This can reduce the likelihood that a user is fooled into granting consent to a malicious application that then utilizes the user's OAuth access token to access organizational data.
      References

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      cloud_key_management Cloud Key Management technique_scores T1528 Steal Application Access Token
      Comments
      Provides protection against attackers stealing application access tokens if they are stored within Cloud KMS.
      References
      identity_aware_proxy Identity Aware Proxy technique_scores T1528 Steal Application Access Token
      Comments
      This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
      References
      identity_aware_proxy Identity Aware Proxy technique_scores T1528 Steal Application Access Token
      Comments
      Control can detect potentially malicious applications
      References
      identity_platform Identity Platform technique_scores T1528 Steal Application Access Token
      Comments
      Identity Platform integrates tightly with Google Cloud services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend. This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
      References
      secret_manager Secret Manager technique_scores T1528 Steal Application Access Token
      Comments
      This control can provide protection against attackers stealing application access tokens if they are stored within Secret Manager. Secret Manager significantly raises the bar for access of stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Secret Manager and may not always be possible to utilize.
      References

      AWS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      aws_identity_and_access_management AWS Identity and Access Management technique_scores T1528 Steal Application Access Token
      Comments
      This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer.
      References
      aws_secrets_manager AWS Secrets Manager technique_scores T1528 Steal Application Access Token
      Comments
      This control may prevent theft of application access tokens by replacing those tokens with authenticated and encrypted API calls to AWS Secrets Manager. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.
      References

      M365 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      PUR-AUS-E5 Audit Solutions Technique Scores T1528 Steal Application Access Token
      Comments
      Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft's Audit Solutions protects from Steal Application Access Token attacks due to Audit Solutions providing the visibility to allow admins to audit all cloud accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, admins can perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. License Requirements: Microsoft 365 E3 and E5
      References
      DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1528 Steal Application Access Token
      DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1528 Steal Application Access Token
      Comments
      This control can detect potentially risky apps. Relevant alerts include "Misleading publisher name for an Oauth app" and "Misleading OAuth app name".
      References
      EID-IDSS-E3 Identity Secure Score Technique Scores T1528 Steal Application Access Token
      Comments
      This control's "Do not allow users to grant consent to unmanaged applications" recommendation can protect against an adversary constructing a malicious application designed to be granted access to resources with the target user's OAuth token by ensuring users can not be fooled into granting consent to the application. Due to this being a recommendation, its score is capped at Partial.
      References
      EID-RBAC-E3 Role Based Access Control Technique Scores T1528 Steal Application Access Token
      Comments
      The RBAC control can be used to implement the principle of least privilege, limiting accounts with access to application tokens. This receives a score of Partial for its ability to minimize the attack surface of accounts this ability. License Requirements: ME-ID Built-in Roles (Free)
      References
      DEF-APGV-E5 App Governance Technique Scores T1528 Steal Application Access Token
      Comments
      App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization App Governance Detects Steal Application Access Token attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk. License Requirements: Microsoft Defender for Cloud Apps
      References
      DEF-SIMT-E5 ATT&CK Simulation Training Technique Scores T1528 Steal Application Access Token
      Comments
      M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
      References
      DEF-SIMT-E5 ATT&CK Simulation Training Technique Scores T1528 Steal Application Access Token
      Comments
      M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
      References