Use Alternate Authentication Material: Application Access Token

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).[1]

OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.[2]

For example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.[3] With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.[4]

Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.[5][6] The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.[7]

Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the sts:GetFederationToken API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.[8] Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

ID: T1550.001
Sub-technique of:  T1550
Platforms: Azure AD, Containers, Google Workspace, IaaS, Office 365, SaaS
Defense Bypassed: System Access Controls
Contributors: Dylan Silva, AWS Security; Ian Davila, Tidal Cyber; Jack Burns, HubSpot; Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services); Mark Wee; Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC); Shailesh Tiwary (Indian Army)
Version: 1.5
Created: 30 January 2020
Last Modified: 19 September 2023

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.[9]

S1023 CreepyDrive

CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.[10]

S0683 Peirates

Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.[11]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used compromised service principals to make changes to the Office 365 environment.[12]

Mitigations

ID Mitigation Description
M1047 Audit

Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Where possible, the ability to request temporary account tokens on behalf of another accounts should be disabled. Additionally, administrators can leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.

M1041 Encrypt Sensitive Information

File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.

M1021 Restrict Web-Based Content

Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (e.g., Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of per-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.[13]

Detection

ID Data Source Data Component Detects
DS0006 Web Credential Web Credential Usage

Monitor the use of application access tokens to interact with resources or services that do not fit the organization baseline. For example, an application that is not meant to read emails accessing users’ mail boxes and potentially exfiltrating sensitive data, or a token associated with a cloud service account being used to make API calls from an IP address outside of the cloud environment.[14]

References