MITRE ATT&CK  /  T1528

T1528

Steal Application Access Token

Description

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.In Azure, an adversary who compromises a resource with an attached Managed Identity, such as an Azure VM, can request short-live…

Platforms

Mitigations

• M1021 — Restrict Web-Based Content
• M1047 — Audit
• M1017 — User Training
• M1018 — User Account Management

Our coverage

• LummaC2 Infostealer Targets US Critical Infrastructure: CISA-FBI Advisory AA25-141B and DOJ Domain Seizures
• ConsentFix v3 Bypasses Azure MFA via Automated OAuth Abuse

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →