1. Home
  2. ATT&CK Techniques
  3. T1528 Steal Application Access Token

T1528 Steal Application Access Token Mappings

Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)

Adversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-10 Concurrent Session Control Protects T1528 Steal Application Access Token
AC-2 Account Management Protects T1528 Steal Application Access Token
AC-3 Access Enforcement Protects T1528 Steal Application Access Token
AC-4 Information Flow Enforcement Protects T1528 Steal Application Access Token
AC-5 Separation of Duties Protects T1528 Steal Application Access Token
AC-6 Least Privilege Protects T1528 Steal Application Access Token
CA-7 Continuous Monitoring Protects T1528 Steal Application Access Token
CA-8 Penetration Testing Protects T1528 Steal Application Access Token
CM-2 Baseline Configuration Protects T1528 Steal Application Access Token
CM-5 Access Restrictions for Change Protects T1528 Steal Application Access Token
CM-6 Configuration Settings Protects T1528 Steal Application Access Token
IA-2 Identification and Authentication (organizational Users) Protects T1528 Steal Application Access Token
IA-4 Identifier Management Protects T1528 Steal Application Access Token
IA-5 Authenticator Management Protects T1528 Steal Application Access Token
IA-8 Identification and Authentication (non-organizational Users) Protects T1528 Steal Application Access Token
RA-5 Vulnerability Monitoring and Scanning Protects T1528 Steal Application Access Token
SA-11 Developer Testing and Evaluation Protects T1528 Steal Application Access Token
SA-15 Development Process, Standards, and Tools Protects T1528 Steal Application Access Token
SI-4 System Monitoring Protects T1528 Steal Application Access Token
azure_sentinel Azure Sentinel technique_scores T1528 Steal Application Access Token
Comments
The Azure Sentinel Hunting "Consent to Application discovery" query can identify recent permissions granted by a user to a particular app.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
role_based_access_control Role Based Access Control technique_scores T1528 Steal Application Access Token
Comments
This control can be used to limit the number of users that are authorized to grant consent to applications for accessing organizational data. This can reduce the likelihood that a user is fooled into granting consent to a malicious application that then utilizes the user's OAuth access token to access organizational data.
References
  1. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
cloud_app_security_policies Cloud App Security Policies technique_scores T1528 Steal Application Access Token
Comments
This control can restrict user app permissions which can limit the potential for theft of application access tokens.
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
cloud_app_security_policies Cloud App Security Policies technique_scores T1528 Steal Application Access Token
Comments
This control can detect potentially risky apps. Relevant alerts include "Misleading publisher name for an Oauth app" and "Misleading OAuth app name".
References
  1. https://docs.microsoft.com/en-us/cloud-app-security/policies-cloud-discovery
  2. https://docs.microsoft.com/en-us/cloud-app-security/policies-information-protection
  3. https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1528 Steal Application Access Token
Comments
This control's "Do not allow users to grant consent to unmanaged applications" recommendation can protect against an adversary constructing a malicious application designed to be granted access to resources with the target user's OAuth token by ensuring users can not be fooled into granting consent to the application. Due to this being a recommendation, its score is capped at Partial.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
  2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#
  3. https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes
  4. https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675
azure_key_vault Azure Key Vault technique_scores T1528 Steal Application Access Token
Comments
This control can provide protection against attackers stealing application access tokens if they are stored within Azure Key Vault. Key vault significantly raises the bar for access for stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Key Vault and may not always be possible to utilize.
References
  1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview