Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.
For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)
Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.
In Azure, an adversary who compromises a resource with an attached Managed Identity, such as an Azure VM, can request short-lived tokens through the Azure Instance Metadata Service (IMDS). These tokens can then facilitate unauthorized actions or further access to other Azure services, bypassing typical credential-based authentication.(Citation: Entra Managed Identities 2025)(Citation: SpecterOps Managed Identity 2022)
Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)
Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-08 | User Access Review | mitigates | T1528 | Steal Application Access Token |
Comments
This control describes the periodic review and validation of user access by centralizing access management, automating review processes, and continuously monitoring for unauthorized activities. These mitigative actions ensure that access rights remain appropriate, obsolete or excessive privileges are removed, and potential security access risks are promptly identified and mitigated. For this technique, administrators should perform automated reviews of all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate.
References
|
| LOG-08 | Audit Logs Sanitization | mitigates | T1528 | Steal Application Access Token |
Comments
This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Log Sanitization may help mitigate risks from Unsecured Credentials (T1552), where attackers target logs for sensitive information such as credentials or access tokens.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1528 | Steal Application Access Token |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. In terms of mitigation, enforcing role-based access control can limit accounts to the least privileges they require. A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens.
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1528 | Steal Application Access Token |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries can steal application access tokens as a means of acquiring credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications. The SSDLC process should ensure that applications APIs, and applications access tokens are securely created and protected in their cloud environments.
References
|
| AIS-02 | Application Security Baseline Requirements | mitigates | T1528 | Steal Application Access Token |
Comments
This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS). The baseline security requirements outlined in the implementation guidance can be used to set usage limits and manage user permissions on cloud applications to prevent access to application access tokens.
References
|