Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)
OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)
For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)
Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)
Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the sts:GetFederationToken API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens.
References
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement provide protection from adversaries that may possibly bypass the authentication process and use stolen tokens. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
References
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement protects against Application Access Token through the use of revocation of keys and key management. Employing key protection strategies for key material such as those used in generation or protection of application access tokens, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise application access tokens.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement protects against Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement protects against Application Access Token through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1550.001 | Application Access Token |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1550.001 | Application Access Token |
Comments
The Microsoft Sentinel Analytics "Azure DevOps - PAT used with Browser." query can identify potentially malicious usage of Personal Access Tokens intended for code or applications to be used through the web browser.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_aware_proxy | Identity Aware Proxy | technique_scores | T1550.001 | Application Access Token |
Comments
This control may mitigate or prevent stolen application access tokens from occurring.
References
|
| identity_platform | Identity Platform | technique_scores | T1550.001 | Application Access Token |
Comments
This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_identity_and_access_management | AWS Identity and Access Management | technique_scores | T1550.001 | Application Access Token |
Comments
This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-SSCO-E3 | Secure Score | Technique Scores | T1550.001 | Application Access Token |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1550.001 | Application Access Token |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to application access token attacks due to Incident Response monitoring for the use of application access tokens to interact with resources or services that do not fit the organization baseline.
License Requirements:
Microsoft Defender XDR
References
|