1. Home
  2. Detection Strategies
  3. Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)

Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)

Technique Detected:  Application Access Token | T1550.001

ID: DET0185
Domains: Enterprise
Analytics: AN0526, AN0527, AN0528, AN0529, AN0530
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0526

Use of AWS STS or GCP IAM APIs to request temporary tokens or federation sessions inconsistent with normal account activity, including from unexpected principals or regions.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) AWS:CloudTrail AssumeRole, GetFederationToken, GetSessionToken
User Account Authentication (DC0002) AWS:CloudTrail sts:GetFederationToken
Mutable Elements
Field Description
GeoIPDistanceThreshold Distance between token creation and resource use locations
RoleScope Limit scope of acceptable role assumptions by account type

AN0527

OAuth or SAML access tokens reused across multiple sessions or clients without corresponding MFA or login activity.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) azure:signinlogs TokenIssued, RefreshTokenUsed
User Account Authentication (DC0002) m365:unified Delegated permission grants without user login event
Mutable Elements
Field Description
MFAEnforcement Ensure MFA context exists prior to token issuance
TokenReuseWindow Maximum acceptable window for refresh token reuse

AN0528

Application access tokens used to call APIs (e.g., Google Workspace, Salesforce) without interactive logins, often with unusual scopes or elevated permissions.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) saas:googleworkspace OAuthTokenGranted, APIRequest
User Account Authentication (DC0002) saas:salesforce API login using access_token without login history
Mutable Elements
Field Description
ApplicationScopeAllowlist Restrict allowed API scopes for enterprise applications
TokenLifetime Threshold for detecting unusually long-lived tokens

AN0529

OAuth token usage for Exchange Online or SharePoint API access without preceding login or from unauthorized clients.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) m365:unified OAuthTokenIssued, FileAccessed, MailItemsAccessed
Mutable Elements
Field Description
ClientAppIDWhitelist Restrict trusted Office apps authorized to request tokens

AN0530

Compromised service account tokens mounted inside containers and reused for external API calls or lateral movement across services.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) kubernetes:apiserver serviceAccount token used in API requests not tied to workload identity
User Account Authentication (DC0002) AWS:CloudTrail AssumeRoleWithWebIdentity
Mutable Elements
Field Description
NamespaceScope Restrict token use to specific namespaces or workloads