T1528 Google Chronicle · YARA-L

Detect Steal Application Access Token in Google Chronicle

Adversaries may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens — including OAuth 2.0 tokens, Kubernetes service account tokens, cloud provider temporary credentials (Azure Managed Identity via IMDS, AWS STS instance role credentials, GCP service account tokens), and CI/CD pipeline secrets — authorize API requests on behalf of users or services. Token theft enables adversaries to impersonate legitimate identities, access cloud resources and SaaS platforms with the victim's permissions, and move laterally without requiring plaintext passwords. Real-world examples include APT29 stealing OAuth tokens via malicious application consent phishing, APT28 creating fraudulent OAuth apps masquerading as Google services, and threat actors exploiting compromised containers to extract Kubernetes service account tokens via the pod filesystem.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1528 Steal Application Access Token
Canonical reference
https://attack.mitre.org/techniques/T1528/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1528_steal_application_access_token {
  meta:
    author = "Argus Detection Platform"
    description = "Detects T1528 - Steal Application Access Token via IMDS queries, Kubernetes token reads, and OAuth token cache access"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1528"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1528/"
    false_positives = "Cloud VM agents, Kubernetes orchestration processes, cloud CLI toolchains"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "NETWORK_CONNECTION" or
      $e.metadata.event_type = "FILE_OPEN" or
      $e.metadata.event_type = "FILE_READ"
    )
    (
      // Vector 1: Cloud IMDS token requests from non-native processes
      (
        $e.metadata.event_type = "NETWORK_CONNECTION" and
        $e.target.ip = "169.254.169.254" and
        (
          re.regex($e.network.http.request_url, `metadata/identity`) or
          re.regex($e.network.http.request_url, `iam/security-credentials`) or
          re.regex($e.network.http.request_url, `computeMetadata/v1/instance/service-accounts`) or
          re.regex($e.network.http.request_url, `metadata/instance`)
        ) and
        not re.regex($e.principal.process.file.full_path, `(?i)(waagent\.exe|WindowsAzureGuestAgent\.exe|WaAppAgent\.exe|MonAgentCore\.exe|HealthService\.exe|MMAExtensionHeartbeatService\.exe|AzureAttestService\.exe|azd\.exe|AzureCLI\.exe)`)
      ) or
      // Vector 2: Kubernetes service account token reads by unexpected processes
      (
        ($e.metadata.event_type = "FILE_OPEN" or $e.metadata.event_type = "FILE_READ") and
        (
          re.regex($e.target.file.full_path, `/var/run/secrets/kubernetes\.io/serviceaccount`) or
          re.regex($e.target.file.full_path, `/run/secrets/kubernetes\.io`) or
          re.regex($e.target.file.full_path, `/var/run/secrets/tokens`)
        ) and
        not re.regex($e.principal.process.file.full_path, `(?i)(kubelet|pause|containerd-shim|containerd-shim-runc-v2|runc|cri-o|dockerd)`)
      ) or
      // Vector 3: OAuth and cloud CLI token cache file access by unexpected processes
      (
        ($e.metadata.event_type = "FILE_OPEN" or $e.metadata.event_type = "FILE_READ") and
        (
          re.regex($e.target.file.full_path, `(?i)(msal_token_cache\.(json|bin)|accessTokens\.json|application_default_credentials\.json|azureProfile\.json|\.git-credentials|TokenCache\.dat)`) or
          re.regex($e.target.file.full_path, `\.config/gcloud/.+\.json`) or
          re.regex($e.target.file.full_path, `/\.azure/.+\.json`)
        ) and
        not re.regex($e.principal.process.file.full_path, `(?i)(gcloud(\.exe)?$|aws(\.exe)?$|az(\.exe)?$|gh(\.exe)?$|git(\.exe)?$|terraform(\.exe)?$|kubectl(\.exe)?$|Code\.exe$|^code$)`)
      )
    )

  condition:
    $e
}
high severity high confidence

Google Chronicle YARA-L 2.0 rule detecting T1528 application access token theft across three behavioral vectors using the Unified Data Model (UDM): (1) NETWORK_CONNECTION events where target.ip is 169.254.169.254 and the HTTP request URL targets credential-bearing IMDS paths for Azure Managed Identity, AWS IAM instance role, or GCP service account tokens, from processes not in the native agent allowlist; (2) FILE_OPEN or FILE_READ events targeting Kubernetes service account token paths from non-orchestration processes; and (3) FILE_OPEN or FILE_READ events targeting OAuth and cloud CLI token cache files from processes outside the expected toolchain. The rule uses re.regex() with backtick-quoted patterns for case-insensitive matching where (?i) is prepended. Requires UDM-normalized endpoint events ingested via Chronicle Forwarder or EDR integration (CrowdStrike, Microsoft Defender, SentinelOne).

Data Sources

Chronicle UDM endpoint events (FILE_OPEN, FILE_READ, NETWORK_CONNECTION)Google Chronicle Forwarder with Windows or Linux endpoint collectionCrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne via Chronicle integrationGoogle Cloud audit logs via Chronicle GCP native integration

Required Tables

UDM event_type: NETWORK_CONNECTIONUDM event_type: FILE_OPENUDM event_type: FILE_READUDM fields: principal.process.file.full_path, target.ip, target.file.full_path, network.http.request_url

False Positives & Tuning

  • Azure VM extensions and the Windows Azure Guest Agent legitimately contact 169.254.169.254 for managed identity token refresh — the exclusion regex must match exact binary names in your cloud environment, including full paths like /usr/sbin/waagent on Linux
  • HashiCorp Vault agent injector and AWS IAM Roles for Service Accounts (IRSA) mechanisms cause legitimate IMDS traffic from workload processes — add verified workload binary names to the not re.regex() exclusion for each environment tier
  • Developer containers using Telepresence, minikube, or KIND (Kubernetes in Docker) environments frequently access service account tokens as part of local cluster authentication — correlate principal.ip with known developer subnet ranges before escalating
Download portable Sigma rule (.yml)

Other platforms for T1528

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query Azure IMDS Endpoint for Managed Identity Token

    Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 169.254.169.254:80. DeviceNetworkEvents in MDE: RemoteIP=169.254.169.254, InitiatingProcessFileName=powershell.exe. The RemoteUrl field will contain the metadata identity path.

  2. Test 2Read Kubernetes Service Account Token from Pod Filesystem

    Expected signal: Linux auditd syscall audit event for openat/read on /var/run/secrets/kubernetes.io/serviceaccount/token with the process name (cat or the shell). Sysmon for Linux Event ID 11 (if deployed) for file access. The token value (JWT) will be visible in any memory or command output capture.

  3. Test 3Enumerate and Exfiltrate Azure CLI Token Cache

    Expected signal: Sysmon Event ID 11: File access/creation event with TargetFilename matching *msal_token_cache.json and Image=powershell.exe. DeviceFileEvents in MDE: FileName=msal_token_cache.json, ActionType=FileRead or FileAccessed, InitiatingProcessFileName=powershell.exe.

  4. Test 4Register Malicious OAuth App and Simulate Consent Phishing Link

    Expected signal: Azure AD AuditLogs OperationName='Add application' followed by 'Update application' with permissions modification. The registered app will appear in AuditLogs with the requesting user's UPN and source IP. If a test user clicks the generated consent URL, AuditLogs will show OperationName='Consent to application' with the scopes granted.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1528 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1550.001Application Access TokenT1552.005Cloud Instance Metadata APIT1539Steal Web Session CookieT1566.002Spearphishing LinkT1078.004Cloud AccountsT1098.001Additional Cloud CredentialsT1619Cloud Storage Object DiscoveryT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service Discovery

Same Tactic: Credential Access

Popular Detections