MITRE ATT&CK  /  T1550.001

T1550.001

Application Access Token

Description

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Cita…

Platforms

Mitigations

• M1036 — Account Use Policies
• M1047 — Audit
• M1021 — Restrict Web-Based Content
• M1013 — Application Developer Guidance
• M1041 — Encrypt Sensitive Information

Our coverage

• ConsentFix v3 Bypasses Azure MFA via Automated OAuth Abuse

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →