T1528

Steal Application Access Token

Adversaries may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens — including OAuth 2.0 tokens, Kubernetes service account tokens, cloud provider temporary credentials (Azure Managed Identity via IMDS, AWS STS instance role credentials, GCP service account tokens), and CI/CD pipeline secrets — authorize API requests on behalf of users or services. Token theft enables adversaries to impersonate legitimate identities, access cloud resources and SaaS platforms with the victim's permissions, and move laterally without requiring plaintext passwords. Real-world examples include APT29 stealing OAuth tokens via malicious application consent phishing, APT28 creating fraudulent OAuth apps masquerading as Google services, and threat actors exploiting compromised containers to extract Kubernetes service account tokens via the pod filesystem.

Microsoft Sentinel / Defender

kusto

// T1528 — Steal Application Access Token
// Multi-vector detection covering IMDS token requests, Kubernetes token access,
// OAuth token cache file access, and high-privilege OAuth consent grants.

// --- Vector 1: Cloud metadata service (IMDS) token requests from unexpected processes ---
let LegitIMDSAgents = dynamic([
  "waagent.exe", "WindowsAzureGuestAgent.exe", "WaAppAgent.exe",
  "MonAgentCore.exe", "HealthService.exe", "MMAExtensionHeartbeatService.exe",
  "AzureAttestService.exe", "azd.exe", "AzureCLI.exe"
]);
let IMDSTokenRequests = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIP == "169.254.169.254"
| where RemoteUrl has_any ("metadata/identity", "latest/meta-data/iam/security-credentials", "computeMetadata/v1/instance/service-accounts", "metadata/instance")
| where InitiatingProcessFileName !in~ (LegitIMDSAgents)
| extend Vector = "IMDS Token Request"
| extend TokenPlatform = case(
    RemoteUrl has "metadata/identity", "Azure Managed Identity",
    RemoteUrl has "iam/security-credentials", "AWS Instance Role",
    RemoteUrl has "service-accounts", "GCP Service Account",
    "Cloud IMDS")
| extend RiskDetail = strcat("Unexpected process '", InitiatingProcessFileName, "' queried ", TokenPlatform, " IMDS endpoint")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, RemoteUrl, Vector, TokenPlatform, RiskDetail;

// --- Vector 2: Kubernetes service account token file reads ---
let LegitK8sProcesses = dynamic(["kubelet", "pause", "containerd-shim", "containerd-shim-runc-v2", "runc", "cri-o", "dockerd"]);
let K8sTokenAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (
    "/var/run/secrets/kubernetes.io/serviceaccount",
    "/run/secrets/kubernetes.io",
    "/var/run/secrets/tokens")
| where FileName in~ ("token", "ca.crt")
| where InitiatingProcessFileName !in~ (LegitK8sProcesses)
| extend Vector = "Kubernetes Service Account Token"
| extend TokenPlatform = "Kubernetes"
| extend RiskDetail = strcat("Process '", InitiatingProcessFileName, "' read K8s service account token: ", FolderPath, "/", FileName)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, FileName, FolderPath, Vector, TokenPlatform, RiskDetail;

// --- Vector 3: OAuth / cloud CLI token cache access by unexpected processes ---
let LegitTokenOwners = dynamic([
  "gcloud", "gcloud.exe", "aws", "aws.exe", "az", "az.exe",
  "gh", "gh.exe", "git", "git.exe", "Code.exe", "code",
  "terraform", "terraform.exe", "kubectl", "kubectl.exe"
]);
let TokenCachePatterns = dynamic([
  "application_default_credentials.json",
  "accessTokens.json", "azureProfile.json",
  "msal_token_cache.json", "msal_token_cache.bin",
  "TokenCache.dat", ".git-credentials", "hosts.yml"
]);
let TokenCacheAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (TokenCachePatterns)
    or (FolderPath has_any (".config/gcloud", ".azure", "TokenCache") and FileName endswith ".json")
| where ActionType in~ ("FileRead", "FileAccessed", "FileModified")
| where InitiatingProcessFileName !in~ (LegitTokenOwners)
| extend Vector = "OAuth Token Cache Access"
| extend TokenPlatform = case(
    FolderPath has ".config/gcloud" or FileName has "gcloud", "GCP",
    FolderPath has ".aws" or FileName has "aws", "AWS",
    FolderPath has ".azure" or FileName has "azure" or FileName has "msal", "Azure",
    FolderPath has ".gh" or FileName has "hosts.yml", "GitHub",
    "OAuth/Cloud")
| extend RiskDetail = strcat("Process '", InitiatingProcessFileName, "' accessed ", TokenPlatform, " token cache: ", FileName)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, FileName, FolderPath, Vector, TokenPlatform, RiskDetail;

// --- Vector 4: High-privilege OAuth consent grants in Azure AD ---
let HighRiskOAuthScopes = dynamic([
  "Mail.ReadWrite", "Mail.Read", "Files.ReadWrite.All",
  "User.Read.All", "Directory.ReadWrite.All",
  "offline_access", "full_access_as_user",
  "EWS.AccessAsUser.All", "Contacts.ReadWrite"
]);
let OAuthConsentGrants = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("Consent to application", "Add app role assignment to service principal", "Add delegated permission grant", "Add OAuth2PermissionGrant")
| where Result == "success"
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetApp = tostring(TargetResources[0].displayName)
| extend RawProps = tostring(TargetResources[0].modifiedProperties)
| where RawProps has_any (HighRiskOAuthScopes)
| extend Vector = "OAuth High-Privilege Consent Grant"
| extend TokenPlatform = "Azure AD / Microsoft 365"
| extend RiskDetail = strcat("User '", InitiatedByUser, "' consented to high-privilege OAuth app '", TargetApp, "' from IP: ", InitiatedByIP)
| project TimeGenerated, InitiatedByUser, InitiatedByIP, TargetApp, OperationName, RawProps, Vector, TokenPlatform, RiskDetail;

// --- Union all vectors ---
union
  (IMDSTokenRequests  | project Timestamp, Source=DeviceName,  Actor=AccountName,       Process=InitiatingProcessFileName, CommandLine=InitiatingProcessCommandLine, Vector, TokenPlatform, RiskDetail),
  (K8sTokenAccess     | project Timestamp, Source=DeviceName,  Actor=AccountName,       Process=InitiatingProcessFileName, CommandLine=InitiatingProcessCommandLine, Vector, TokenPlatform, RiskDetail),
  (TokenCacheAccess   | project Timestamp, Source=DeviceName,  Actor=AccountName,       Process=InitiatingProcessFileName, CommandLine=InitiatingProcessCommandLine, Vector, TokenPlatform, RiskDetail),
  (OAuthConsentGrants | project Timestamp=TimeGenerated, Source=InitiatedByIP, Actor=InitiatedByUser, Process=TargetApp, CommandLine=RawProps, Vector, TokenPlatform, RiskDetail)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network: Network Connection Creation File: File Access Application Log: Application Log Content Cloud Service: Cloud Service Metadata Azure Active Directory: Audit Logs

Required Tables

DeviceNetworkEvents DeviceFileEvents AuditLogs

False Positives

Security scanning tools and vulnerability assessment agents that enumerate IMDS endpoints as part of cloud posture checks (e.g., Prisma Cloud, Wiz, Orca)
Developer workstations where developers legitimately use multiple cloud CLIs (gcloud, az, aws) and IDEs that access token caches on behalf of the user
Legitimate Kubernetes operators and custom controllers that mount and read service account tokens as part of their normal authentication flow to the Kubernetes API
CI/CD pipeline agents (GitHub Actions runner, GitLab Runner, Jenkins agent) that access cloud credentials and token caches as part of authorized deployment workflows
IT administration scripts that use OAuth tokens for legitimate bulk operations (e.g., Microsoft Graph scripts for user provisioning, Azure automation runbooks)

Splunk

spl

| union
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    DestinationIp="169.254.169.254"
    NOT (Image="*\\waagent.exe" OR Image="*\\WindowsAzureGuestAgent.exe" OR Image="*\\WaAppAgent.exe" OR Image="*\\MonAgentCore.exe" OR Image="*\\HealthService.exe")
  | eval Vector="IMDS Token Request"
  | eval TokenPlatform=case(
      match(DestinationHostname, "metadata.*identity"), "Azure Managed Identity",
      match(DestinationHostname, "iam.*credentials"), "AWS Instance Role",
      1=1, "Cloud IMDS")
  | eval RiskDetail=Image." queried cloud IMDS endpoint: ".DestinationHostname
  | eval Actor=User
  | table _time, host, Actor, Image, CommandLine, DestinationIp, DestinationHostname, Vector, TokenPlatform, RiskDetail ],

  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (TargetFilename="*/var/run/secrets/kubernetes.io/serviceaccount/token*"
      OR TargetFilename="*/run/secrets/kubernetes.io*token*"
      OR TargetFilename="*msal_token_cache*"
      OR TargetFilename="*accessTokens.json*"
      OR TargetFilename="*application_default_credentials.json*"
      OR TargetFilename="*.git-credentials*")
    NOT (Image="*\\kubelet*" OR Image="*\\containerd*" OR Image="*\\gcloud*" OR Image="*\\az.exe" OR Image="*\\aws.exe")
  | eval Vector=case(
      match(TargetFilename, "kubernetes.io"), "Kubernetes Service Account Token",
      match(TargetFilename, "msal|accessTokens|azureProfile"), "Azure OAuth Token Cache",
      match(TargetFilename, "application_default"), "GCP Token Cache",
      match(TargetFilename, "git-credentials"), "Git Credential Token",
      1=1, "OAuth Token File")
  | eval TokenPlatform=case(
      match(TargetFilename, "kubernetes.io"), "Kubernetes",
      match(TargetFilename, "msal|azure|accessTokens"), "Azure",
      match(TargetFilename, "application_default|gcloud"), "GCP",
      match(TargetFilename, "git-credentials"), "GitHub/Git",
      1=1, "Multi-Cloud")
  | eval RiskDetail=Image." created/modified token file: ".TargetFilename
  | eval Actor=User
  | table _time, host, Actor, Image, CommandLine, TargetFilename, Vector, TokenPlatform, RiskDetail ],

  [ search index=o365 sourcetype="o365:management:activity"
    (Operation="Consent to application" OR Operation="Add app role assignment to service principal" OR Operation="Add OAuth2PermissionGrant")
    (Scope="Mail.ReadWrite" OR Scope="Files.ReadWrite.All" OR Scope="User.Read.All" OR Scope="Directory.ReadWrite.All" OR Scope="offline_access" OR ModifiedProperties="*Mail.Read*" OR ModifiedProperties="*full_access*")
  | eval Vector="OAuth High-Privilege Consent Grant"
  | eval TokenPlatform="Azure AD / Microsoft 365"
  | eval RiskDetail="User ".UserId." consented to high-privilege OAuth app from IP: ".ClientIP
  | eval Actor=UserId
  | table _time, ClientIP, Actor, Operation, ModifiedProperties, Vector, TokenPlatform, RiskDetail ]

| eval SuspicionScore=case(
    Vector="IMDS Token Request", 3,
    Vector="Kubernetes Service Account Token", 3,
    Vector="OAuth High-Privilege Consent Grant", 4,
    Vector="Azure OAuth Token Cache", 2,
    Vector="GCP Token Cache", 2,
    Vector="Git Credential Token", 2,
    1=1, 1)
| sort - _time
| table _time, host, Actor, Image, CommandLine, Vector, TokenPlatform, RiskDetail, SuspicionScore

high severity medium confidence

Data Sources

Network: Network Connection Creation File: File Creation Application Log: Application Log Content Sysmon Event ID 3 Sysmon Event ID 11 Office 365 Management Activity

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational o365:management:activity

False Positives

Security posture tools (Prisma Cloud, Wiz, Orca) scanning IMDS endpoints as part of cloud configuration assessment
Developer tools and IDEs that legitimately write updated OAuth token caches when refreshing credentials during normal development workflows
Kubernetes operators and admission webhooks that mount and interact with service account tokens as part of their design
IT automation runbooks using Office 365 or Graph API OAuth tokens for legitimate administrative tasks such as bulk user provisioning or compliance reporting
CI/CD agents refreshing cloud credentials — look for parent process context (jenkins-agent, runner, etc.) to differentiate from interactive token theft

Elastic Security (EQL)

eql

any where
  (
    // Vector 1: Cloud IMDS token requests from non-native processes
    event.category == "network" and
    destination.ip == "169.254.169.254" and
    (
      url.full like~ "*metadata/identity*" or
      url.full like~ "*iam/security-credentials*" or
      url.full like~ "*computeMetadata/v1/instance/service-accounts*" or
      url.full like~ "*metadata/instance*"
    ) and
    not process.name in~ (
      "waagent.exe", "WindowsAzureGuestAgent.exe", "WaAppAgent.exe",
      "MonAgentCore.exe", "HealthService.exe", "MMAExtensionHeartbeatService.exe",
      "AzureAttestService.exe", "azd.exe", "AzureCLI.exe"
    )
  ) or
  (
    // Vector 2: Kubernetes service account token file reads by unexpected processes
    event.category == "file" and
    (
      file.path like~ "*/var/run/secrets/kubernetes.io/serviceaccount/*" or
      file.path like~ "*/run/secrets/kubernetes.io/*" or
      file.path like~ "*/var/run/secrets/tokens/*"
    ) and
    file.name in~ ("token", "ca.crt") and
    not process.name in~ (
      "kubelet", "pause", "containerd-shim", "containerd-shim-runc-v2",
      "runc", "cri-o", "dockerd"
    )
  ) or
  (
    // Vector 3: OAuth and cloud CLI token cache access by unexpected processes
    event.category == "file" and
    (
      file.name in~ (
        "application_default_credentials.json", "accessTokens.json",
        "azureProfile.json", "msal_token_cache.json", "msal_token_cache.bin",
        "TokenCache.dat", ".git-credentials"
      ) or
      (file.path like~ "*/.config/gcloud/*" and file.extension == "json") or
      (file.path like~ "*/.azure/*" and file.extension == "json") or
      file.path like~ "*/TokenCache/*"
    ) and
    not process.name in~ (
      "gcloud", "gcloud.exe", "aws", "aws.exe", "az", "az.exe",
      "gh", "gh.exe", "git", "git.exe", "Code.exe", "code",
      "terraform", "terraform.exe", "kubectl", "kubectl.exe"
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security agent (network and file telemetry) Elastic Agent with System integration (Linux auditd) Elastic Agent with Windows integration (Sysmon via winlogbeat) Elastic Agent with Azure or GCP integration for cloud audit logs

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.file-* logs-system.syslog-* logs-windows.sysmon_operational-*

False Positives

Azure VM Agent (waagent.exe), AWS Systems Manager Agent (amazon-ssm-agent), and GCP OS Config daemon legitimately query IMDS on a regular schedule — tune the process exclusion list to reflect all cloud platform native agents deployed in your environment, including versioned paths
Container init processes, sidecar containers, and Kubernetes admission webhooks may read service account tokens during pod startup or cluster API authentication flows — correlate alerts with known Kubernetes node hostnames and system namespace pods before escalating
Developer workstations with VS Code remote extensions, IntelliJ cloud plugins, or multi-cloud CLI sessions may trigger token cache file reads from unexpected parent processes — validate with process ancestry chain and user identity context

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  username AS Actor,
  "Application" AS ProcessName,
  "URL" AS RequestURL,
  "fileName" AS FileName,
  "filePath" AS FilePath,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  UTF8(payload) AS RawEvent,
  CASE
    WHEN destinationip = '169.254.169.254'
      AND (
        "URL" IMATCHES '.*metadata/identity.*'
        OR "URL" IMATCHES '.*iam/security-credentials.*'
        OR "URL" IMATCHES '.*computeMetadata/v1/instance/service-accounts.*'
        OR "URL" IMATCHES '.*metadata/instance.*'
      )
    THEN 'IMDS Token Request'
    WHEN "filePath" IMATCHES '.*(kubernetes\.io/serviceaccount|run/secrets/kubernetes|run/secrets/tokens).*'
    THEN 'Kubernetes Service Account Token'
    WHEN
      "fileName" IMATCHES '.*(msal_token_cache|accessTokens\.json|application_default_credentials|azureProfile\.json|\.git-credentials|TokenCache\.dat).*'
      OR ("filePath" IMATCHES '.*\.config/gcloud.*' AND "fileName" IMATCHES '.*\.json')
      OR ("filePath" IMATCHES '.*\.azure.*' AND "fileName" IMATCHES '.*\.json')
    THEN 'OAuth Token Cache Access'
    WHEN
      CATEGORYNAME(category) IMATCHES '.*(application consent|OAuth consent|permission grant).*'
      AND UTF8(payload) IMATCHES '.*(Mail\.ReadWrite|Files\.ReadWrite\.All|User\.Read\.All|Directory\.ReadWrite\.All|offline_access|full_access_as_user|EWS\.AccessAsUser\.All).*'
    THEN 'OAuth High-Privilege Consent Grant'
    ELSE NULL
  END AS Vector,
  CASE
    WHEN destinationip = '169.254.169.254' AND "URL" IMATCHES '.*metadata/identity.*' THEN 'Azure Managed Identity'
    WHEN destinationip = '169.254.169.254' AND "URL" IMATCHES '.*iam/security-credentials.*' THEN 'AWS Instance Role'
    WHEN destinationip = '169.254.169.254' AND "URL" IMATCHES '.*service-accounts.*' THEN 'GCP Service Account'
    WHEN "filePath" IMATCHES '.*kubernetes.*' THEN 'Kubernetes'
    WHEN "fileName" IMATCHES '.*msal.*' OR "filePath" IMATCHES '.*\.azure.*' THEN 'Azure'
    WHEN "filePath" IMATCHES '.*\.config/gcloud.*' OR "fileName" IMATCHES '.*application_default.*' THEN 'GCP'
    WHEN "fileName" IMATCHES '.*\.git-credentials.*' THEN 'GitHub/Git'
    ELSE 'Multi-Cloud'
  END AS TokenPlatform
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    -- Vector 1: IMDS token requests from non-native processes
    (
      destinationip = '169.254.169.254'
      AND (
        "URL" IMATCHES '.*metadata/identity.*'
        OR "URL" IMATCHES '.*iam/security-credentials.*'
        OR "URL" IMATCHES '.*computeMetadata/v1/instance/service-accounts.*'
        OR "URL" IMATCHES '.*metadata/instance.*'
      )
      AND NOT "Application" IMATCHES '.*(waagent|WindowsAzureGuestAgent|WaAppAgent|MonAgentCore|HealthService|MMAExtensionHeartbeatService|AzureAttestService|azd\.exe|AzureCLI).*'
    )
    OR
    -- Vector 2: Kubernetes service account token file reads
    (
      "filePath" IMATCHES '.*(kubernetes\.io/serviceaccount|run/secrets/kubernetes\.io|var/run/secrets/tokens).*'
      AND "fileName" IN ('token', 'ca.crt')
      AND NOT "Application" IMATCHES '.*(kubelet|pause|containerd-shim|containerd-shim-runc-v2|runc|cri-o|dockerd).*'
    )
    OR
    -- Vector 3: OAuth and cloud CLI token cache file access
    (
      (
        "fileName" IMATCHES '.*(msal_token_cache|accessTokens\.json|application_default_credentials|azureProfile\.json|\.git-credentials|TokenCache\.dat).*'
        OR ("filePath" IMATCHES '.*\.config/gcloud.*' AND "fileName" IMATCHES '.*\.json')
        OR ("filePath" IMATCHES '.*\.azure.*' AND "fileName" IMATCHES '.*\.json')
      )
      AND NOT "Application" IMATCHES '.*(gcloud(\.exe)?|aws(\.exe)?|\baz(\.exe)?|gh(\.exe)?|\bgit(\.exe)?|terraform(\.exe)?|kubectl(\.exe)?|Code\.exe).*'
    )
    OR
    -- Vector 4: High-privilege OAuth consent grants
    (
      CATEGORYNAME(category) IMATCHES '.*(application consent|OAuth consent|permission grant).*'
      AND UTF8(payload) IMATCHES '.*(Mail\.ReadWrite|Files\.ReadWrite\.All|User\.Read\.All|Directory\.ReadWrite\.All|offline_access|full_access_as_user|EWS\.AccessAsUser\.All).*'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via QRadar DSM (Microsoft Windows Security Event Log) Linux auditd via QRadar DSM (Linux OS) Microsoft Office 365 via QRadar DSM (Microsoft Office 365) Microsoft Azure AD audit logs via QRadar DSM (Microsoft Azure Active Directory) Endpoint Detection and Response telemetry via QRadar Universal DSM or vendor-specific DSM

Required Tables

events (QRadar normalized events table) Custom Event Property: Application — mapped from Sysmon Image field or EDR process path Custom Event Property: URL — mapped from Sysmon network event destination URL or proxy logs Custom Event Property: fileName — mapped from Sysmon TargetFilename or EDR file event Custom Event Property: filePath — mapped from Sysmon TargetFilename directory component or EDR file path

False Positives

Azure VM Agent, AWS SSM Agent, and GCP OS Config daemon legitimately poll IMDS on a scheduled interval — the Application IMATCHES exclusion must be tuned to include all cloud platform native agent binary names and paths present in your environment
CI/CD pipelines executing cloud deployments in containers frequently read Kubernetes service account tokens for cluster API authentication — correlate with known pipeline runner hostnames, service account names, and job execution windows
Automated infrastructure management tools (Ansible, Terraform Cloud agent, Chef) may access cloud credential files as part of environment bootstrapping — validate against scheduled maintenance windows and approved automation service accounts before escalating

Sumo Logic CSE

sql

(_index=sec_record* OR _sourceCategory=*endpoint* OR _sourceCategory=*windows* OR _sourceCategory=*linux* OR _sourceCategory=*azure* OR _sourceCategory=*o365*)
| where (
    // Vector 1: IMDS token requests from unexpected processes
    (
      dstDevice_ip = "169.254.169.254"
      and (
        http_url matches "*metadata/identity*"
        or http_url matches "*iam/security-credentials*"
        or http_url matches "*computeMetadata/v1/instance/service-accounts*"
        or http_url matches "*metadata/instance*"
      )
      and not (
        application matches "*waagent*"
        or application matches "*WindowsAzureGuestAgent*"
        or application matches "*WaAppAgent*"
        or application matches "*MonAgentCore*"
        or application matches "*HealthService*"
        or application matches "*azd*"
        or application matches "*AzureCLI*"
      )
    )
    or
    // Vector 2: Kubernetes service account token file reads by unexpected processes
    (
      normalizedAction in ("open", "read", "access")
      and (
        file_path matches "*/var/run/secrets/kubernetes.io/serviceaccount/*"
        or file_path matches "*/run/secrets/kubernetes.io/*"
        or file_path matches "*/var/run/secrets/tokens/*"
      )
      and not (
        application matches "*kubelet*"
        or application matches "*pause*"
        or application matches "*containerd*"
        or application matches "*runc*"
        or application matches "*cri-o*"
        or application matches "*dockerd*"
      )
    )
    or
    // Vector 3: OAuth and cloud CLI token cache file access by unexpected processes
    (
      normalizedAction in ("open", "read", "access", "modify")
      and (
        file_path matches "*msal_token_cache*"
        or file_path matches "*accessTokens.json*"
        or file_path matches "*application_default_credentials.json*"
        or file_path matches "*azureProfile.json*"
        or file_path matches "*.git-credentials*"
        or file_path matches "*TokenCache.dat*"
        or (file_path matches "*/.config/gcloud/*" and file_path matches "*.json")
        or (file_path matches "*/.azure/*" and file_path matches "*.json")
      )
      and not (
        application matches "*gcloud*"
        or application matches "*/aws"
        or application matches "*aws.exe*"
        or application matches "*/az"
        or application matches "*az.exe*"
        or application matches "*/gh"
        or application matches "*gh.exe*"
        or application matches "*/git"
        or application matches "*git.exe*"
        or application matches "*terraform*"
        or application matches "*kubectl*"
        or application matches "*Code.exe*"
        or application matches "*/code"
      )
    )
    or
    // Vector 4: High-privilege OAuth consent grants
    (
      normalizedAction in ("Consent to application", "Add app role assignment to service principal", "Add OAuth2PermissionGrant", "Add delegated permission grant")
      and (
        ModifiedProperties matches "*Mail.ReadWrite*"
        or ModifiedProperties matches "*Files.ReadWrite.All*"
        or ModifiedProperties matches "*User.Read.All*"
        or ModifiedProperties matches "*Directory.ReadWrite.All*"
        or ModifiedProperties matches "*offline_access*"
        or ModifiedProperties matches "*full_access_as_user*"
        or ModifiedProperties matches "*EWS.AccessAsUser.All*"
      )
    )
  )
| if(dstDevice_ip = "169.254.169.254", "IMDS Token Request",
    if(file_path matches "*kubernetes.io*", "Kubernetes Service Account Token",
    if(file_path matches "*msal*" or file_path matches "*/.azure/*" or file_path matches "*accessTokens*", "Azure OAuth Token Cache",
    if(file_path matches "*application_default*" or file_path matches "*/.config/gcloud/*", "GCP Token Cache",
    if(file_path matches "*.git-credentials*", "Git Credential Token",
    if(normalizedAction in ("Consent to application", "Add OAuth2PermissionGrant", "Add delegated permission grant"), "OAuth Consent Grant",
    "Unknown")))))) as vector
| if(file_path matches "*kubernetes.io*", "Kubernetes",
    if(file_path matches "*msal*" or file_path matches "*/.azure/*", "Azure",
    if(file_path matches "*application_default*" or file_path matches "*/.config/gcloud/*", "GCP",
    if(file_path matches "*.git-credentials*", "GitHub/Git",
    if(dstDevice_ip = "169.254.169.254" and http_url matches "*metadata/identity*", "Azure Managed Identity",
    if(dstDevice_ip = "169.254.169.254" and http_url matches "*iam/security-credentials*", "AWS Instance Role",
    if(dstDevice_ip = "169.254.169.254" and http_url matches "*service-accounts*", "GCP Service Account",
    "Multi-Cloud"))))))) as tokenPlatform
| if(vector in ("IMDS Token Request", "Kubernetes Service Account Token"), 3,
    if(vector = "OAuth Consent Grant", 4,
    if(vector in ("Azure OAuth Token Cache", "GCP Token Cache", "Git Credential Token"), 2, 1))) as suspicionScore
| count by _messageTime, srcDevice_hostname, user_username, application, commandLine, file_path, http_url, vector, tokenPlatform, suspicionScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise (CSE) normalized schema Endpoint telemetry via Sumo Logic installed collector with Windows or Linux source Microsoft Azure AD audit logs via Sumo Logic Azure Audit source Microsoft Office 365 activity logs via Sumo Logic M365 Audit source Linux auditd logs via Sumo Logic syslog source with field extraction

Required Tables

sec_record* (Cloud SIEM normalized records index) CSE normalized fields: dstDevice_ip, http_url, file_path, application, normalizedAction, commandLine CSE normalized fields: user_username, srcDevice_hostname Azure AD audit field: ModifiedProperties (extracted from raw Office 365 or Azure AD log)

False Positives

Cloud VM monitoring agents (Azure Monitor Agent, Amazon CloudWatch Agent, Google Cloud Ops Agent) legitimately contact 169.254.169.254 for token refresh and instance metadata — verify against your approved cloud agent binary inventory and adjust the application exclusion list per environment
Kubernetes admission controllers, operators, and init containers access service account tokens during pod scheduling and cluster API authentication — correlate with known Kubernetes node srcDevice_hostname values and system namespace service accounts before escalating
Security posture management tools (Wiz, Orca, Lacework) and secrets scanning agents performing credential exposure audits may read token cache files during scheduled scans — validate against your security tool deployment schedule and service account user_username values

Google Chronicle / SecOps

yaral

rule t1528_steal_application_access_token {
  meta:
    author = "Argus Detection Platform"
    description = "Detects T1528 - Steal Application Access Token via IMDS queries, Kubernetes token reads, and OAuth token cache access"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1528"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1528/"
    false_positives = "Cloud VM agents, Kubernetes orchestration processes, cloud CLI toolchains"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "NETWORK_CONNECTION" or
      $e.metadata.event_type = "FILE_OPEN" or
      $e.metadata.event_type = "FILE_READ"
    )
    (
      // Vector 1: Cloud IMDS token requests from non-native processes
      (
        $e.metadata.event_type = "NETWORK_CONNECTION" and
        $e.target.ip = "169.254.169.254" and
        (
          re.regex($e.network.http.request_url, `metadata/identity`) or
          re.regex($e.network.http.request_url, `iam/security-credentials`) or
          re.regex($e.network.http.request_url, `computeMetadata/v1/instance/service-accounts`) or
          re.regex($e.network.http.request_url, `metadata/instance`)
        ) and
        not re.regex($e.principal.process.file.full_path, `(?i)(waagent\.exe|WindowsAzureGuestAgent\.exe|WaAppAgent\.exe|MonAgentCore\.exe|HealthService\.exe|MMAExtensionHeartbeatService\.exe|AzureAttestService\.exe|azd\.exe|AzureCLI\.exe)`)
      ) or
      // Vector 2: Kubernetes service account token reads by unexpected processes
      (
        ($e.metadata.event_type = "FILE_OPEN" or $e.metadata.event_type = "FILE_READ") and
        (
          re.regex($e.target.file.full_path, `/var/run/secrets/kubernetes\.io/serviceaccount`) or
          re.regex($e.target.file.full_path, `/run/secrets/kubernetes\.io`) or
          re.regex($e.target.file.full_path, `/var/run/secrets/tokens`)
        ) and
        not re.regex($e.principal.process.file.full_path, `(?i)(kubelet|pause|containerd-shim|containerd-shim-runc-v2|runc|cri-o|dockerd)`)
      ) or
      // Vector 3: OAuth and cloud CLI token cache file access by unexpected processes
      (
        ($e.metadata.event_type = "FILE_OPEN" or $e.metadata.event_type = "FILE_READ") and
        (
          re.regex($e.target.file.full_path, `(?i)(msal_token_cache\.(json|bin)|accessTokens\.json|application_default_credentials\.json|azureProfile\.json|\.git-credentials|TokenCache\.dat)`) or
          re.regex($e.target.file.full_path, `\.config/gcloud/.+\.json`) or
          re.regex($e.target.file.full_path, `/\.azure/.+\.json`)
        ) and
        not re.regex($e.principal.process.file.full_path, `(?i)(gcloud(\.exe)?$|aws(\.exe)?$|az(\.exe)?$|gh(\.exe)?$|git(\.exe)?$|terraform(\.exe)?$|kubectl(\.exe)?$|Code\.exe$|^code$)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM endpoint events (FILE_OPEN, FILE_READ, NETWORK_CONNECTION) Google Chronicle Forwarder with Windows or Linux endpoint collection CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne via Chronicle integration Google Cloud audit logs via Chronicle GCP native integration

Required Tables

UDM event_type: NETWORK_CONNECTION UDM event_type: FILE_OPEN UDM event_type: FILE_READ UDM fields: principal.process.file.full_path, target.ip, target.file.full_path, network.http.request_url

False Positives

Azure VM extensions and the Windows Azure Guest Agent legitimately contact 169.254.169.254 for managed identity token refresh — the exclusion regex must match exact binary names in your cloud environment, including full paths like /usr/sbin/waagent on Linux
HashiCorp Vault agent injector and AWS IAM Roles for Service Accounts (IRSA) mechanisms cause legitimate IMDS traffic from workload processes — add verified workload binary names to the not re.regex() exclusion for each environment tier
Developer containers using Telepresence, minikube, or KIND (Kubernetes in Docker) environments frequently access service account tokens as part of local cluster authentication — correlate principal.ip with known developer subnet ranges before escalating

CrowdStrike LogScale (CQL)

cql

// T1528 - Steal Application Access Token
// Detect IMDS token requests, Kubernetes token access, and OAuth token cache reads
// via CrowdStrike Falcon telemetry in LogScale

#event_simpleName in ("NetworkConnectIP4", "FileOpenInfo", "SuspiciousFileOpenInfo")
| case {
    // Vector 1: IMDS token requests from non-native processes
    #event_simpleName = "NetworkConnectIP4"
    AND RemoteAddressIP4 = "169.254.169.254"
    | where not ImageFileName = /waagent\.exe|WindowsAzureGuestAgent\.exe|WaAppAgent\.exe|MonAgentCore\.exe|HealthService\.exe|MMAExtensionHeartbeatService\.exe|AzureAttestService\.exe|azd\.exe|AzureCLI\.exe/i
    | vector := "IMDS Token Request"
    | tokenPlatform := "Cloud IMDS"
    | suspicionScore := 3;

    // Vector 2: Kubernetes service account token file reads by unexpected processes
    #event_simpleName in ("FileOpenInfo", "SuspiciousFileOpenInfo")
    AND TargetFileName = /\/var\/run\/secrets\/kubernetes\.io\/serviceaccount|\/run\/secrets\/kubernetes\.io|\/var\/run\/secrets\/tokens/
    | where not ImageFileName = /kubelet|pause|containerd-shim|containerd-shim-runc-v2|runc|cri-o|dockerd/i
    | vector := "Kubernetes Service Account Token"
    | tokenPlatform := "Kubernetes"
    | suspicionScore := 3;

    // Vector 3: OAuth and cloud CLI token cache file access by unexpected processes
    #event_simpleName in ("FileOpenInfo", "SuspiciousFileOpenInfo")
    AND TargetFileName = /msal_token_cache\.(json|bin)|accessTokens\.json|application_default_credentials\.json|azureProfile\.json|\.git-credentials|TokenCache\.dat|\.config\/gcloud\/.+\.json|\.azure\/.+\.json/i
    | where not ImageFileName = /gcloud(\.exe)?$|aws(\.exe)?$|az(\.exe)?$|gh(\.exe)?$|git(\.exe)?$|terraform(\.exe)?$|kubectl(\.exe)?$|Code\.exe$|^code$/i
    | vector := "OAuth Token Cache Access"
    | tokenPlatform := case(
        TargetFileName = /msal|\.azure/i, "Azure",
        TargetFileName = /application_default|\.config\/gcloud/i, "GCP",
        TargetFileName = /\.git-credentials/, "GitHub/Git",
        "Multi-Cloud"
      )
    | suspicionScore := 2;

    * | drop()
  }
| groupBy(
    [ComputerName, UserName, ImageFileName, TargetFileName, RemoteAddressIP4, vector, tokenPlatform],
    function=[
      count(as=eventCount),
      max(@timestamp, as=lastSeen),
      min(@timestamp, as=firstSeen),
      collect(CommandLine, limit=5, as=observedCommandLines)
    ]
  )
| suspicionScore := case(
    vector = "IMDS Token Request", 3,
    vector = "Kubernetes Service Account Token", 3,
    vector = "OAuth Token Cache Access", 2,
    1
  )
| riskLabel := case(
    suspicionScore >= 3, "HIGH",
    suspicionScore = 2, "MEDIUM",
    "LOW"
  )
| sort(lastSeen, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight XDR endpoint sensor (NetworkConnectIP4, FileOpenInfo, SuspiciousFileOpenInfo) CrowdStrike LogScale (Humio) with Falcon Data Replicator or streaming connector Falcon Prevent or Falcon Insight with Credential Theft and Process Hollowing prevention policies Falcon sensor with high-verbosity file monitoring configured for sensitive credential paths

Required Tables

Falcon telemetry stream: NetworkConnectIP4 (RemoteAddressIP4, ImageFileName, CommandLine, ComputerName, UserName) Falcon telemetry stream: FileOpenInfo (TargetFileName, ImageFileName, CommandLine, ComputerName, UserName) Falcon telemetry stream: SuspiciousFileOpenInfo (TargetFileName, ImageFileName, ComputerName) LogScale fields: #event_simpleName, ComputerName, UserName, @timestamp

False Positives

CrowdStrike's own sensor processes and cloud platform agents (Azure VM Agent, AWS SSM Agent, GCP OS Config daemon) generate NetworkConnectIP4 events to 169.254.169.254 legitimately — tune the ImageFileName exclusion regex to include all cloud agents present in your environment, including full path variants
Kubernetes node-level operations by kubelet, containerd-shim-runc-v2, and CRI-O generate FileOpenInfo events for service account tokens during normal pod lifecycle management — verify by checking ComputerName against known Kubernetes node inventory before escalating
CI/CD runners (GitHub Actions runner, GitLab Runner, Jenkins agent) executing cloud deployment pipelines may access cloud CLI token files under a service account — correlate with known runner ComputerName values, UserName service accounts, and pipeline execution windows

Last updated: 2026-04-20 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1528 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Steal Application Access Token

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Credential Access

Popular Detections