T1528 Elastic Security · Elastic

Detect Steal Application Access Token in Elastic Security

Adversaries may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens — including OAuth 2.0 tokens, Kubernetes service account tokens, cloud provider temporary credentials (Azure Managed Identity via IMDS, AWS STS instance role credentials, GCP service account tokens), and CI/CD pipeline secrets — authorize API requests on behalf of users or services. Token theft enables adversaries to impersonate legitimate identities, access cloud resources and SaaS platforms with the victim's permissions, and move laterally without requiring plaintext passwords. Real-world examples include APT29 stealing OAuth tokens via malicious application consent phishing, APT28 creating fraudulent OAuth apps masquerading as Google services, and threat actors exploiting compromised containers to extract Kubernetes service account tokens via the pod filesystem.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1528 Steal Application Access Token
Canonical reference
https://attack.mitre.org/techniques/T1528/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    // Vector 1: Cloud IMDS token requests from non-native processes
    event.category == "network" and
    destination.ip == "169.254.169.254" and
    (
      url.full like~ "*metadata/identity*" or
      url.full like~ "*iam/security-credentials*" or
      url.full like~ "*computeMetadata/v1/instance/service-accounts*" or
      url.full like~ "*metadata/instance*"
    ) and
    not process.name in~ (
      "waagent.exe", "WindowsAzureGuestAgent.exe", "WaAppAgent.exe",
      "MonAgentCore.exe", "HealthService.exe", "MMAExtensionHeartbeatService.exe",
      "AzureAttestService.exe", "azd.exe", "AzureCLI.exe"
    )
  ) or
  (
    // Vector 2: Kubernetes service account token file reads by unexpected processes
    event.category == "file" and
    (
      file.path like~ "*/var/run/secrets/kubernetes.io/serviceaccount/*" or
      file.path like~ "*/run/secrets/kubernetes.io/*" or
      file.path like~ "*/var/run/secrets/tokens/*"
    ) and
    file.name in~ ("token", "ca.crt") and
    not process.name in~ (
      "kubelet", "pause", "containerd-shim", "containerd-shim-runc-v2",
      "runc", "cri-o", "dockerd"
    )
  ) or
  (
    // Vector 3: OAuth and cloud CLI token cache access by unexpected processes
    event.category == "file" and
    (
      file.name in~ (
        "application_default_credentials.json", "accessTokens.json",
        "azureProfile.json", "msal_token_cache.json", "msal_token_cache.bin",
        "TokenCache.dat", ".git-credentials"
      ) or
      (file.path like~ "*/.config/gcloud/*" and file.extension == "json") or
      (file.path like~ "*/.azure/*" and file.extension == "json") or
      file.path like~ "*/TokenCache/*"
    ) and
    not process.name in~ (
      "gcloud", "gcloud.exe", "aws", "aws.exe", "az", "az.exe",
      "gh", "gh.exe", "git", "git.exe", "Code.exe", "code",
      "terraform", "terraform.exe", "kubectl", "kubectl.exe"
    )
  )
high severity high confidence

Detects T1528 application access token theft via three behavioral vectors using Elastic Common Schema (ECS) fields: (1) network connections to the cloud IMDS link-local address 169.254.169.254 from processes not in the native agent allowlist, targeting Azure Managed Identity, AWS IAM instance role, or GCP service account credential paths; (2) file reads of Kubernetes service account tokens from /var/run/secrets/kubernetes.io/serviceaccount/ by non-orchestration processes; and (3) access to OAuth and cloud CLI token cache files (MSAL, GCP ADC, Azure CLI, GitHub credentials) by processes outside the expected toolchain. Covers both Windows and Linux endpoints via Elastic Agent endpoint integration.

Data Sources

Elastic Endpoint Security agent (network and file telemetry)Elastic Agent with System integration (Linux auditd)Elastic Agent with Windows integration (Sysmon via winlogbeat)Elastic Agent with Azure or GCP integration for cloud audit logs

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.file-*logs-system.syslog-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Azure VM Agent (waagent.exe), AWS Systems Manager Agent (amazon-ssm-agent), and GCP OS Config daemon legitimately query IMDS on a regular schedule — tune the process exclusion list to reflect all cloud platform native agents deployed in your environment, including versioned paths
  • Container init processes, sidecar containers, and Kubernetes admission webhooks may read service account tokens during pod startup or cluster API authentication flows — correlate alerts with known Kubernetes node hostnames and system namespace pods before escalating
  • Developer workstations with VS Code remote extensions, IntelliJ cloud plugins, or multi-cloud CLI sessions may trigger token cache file reads from unexpected parent processes — validate with process ancestry chain and user identity context
Download portable Sigma rule (.yml)

Other platforms for T1528

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query Azure IMDS Endpoint for Managed Identity Token

    Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 169.254.169.254:80. DeviceNetworkEvents in MDE: RemoteIP=169.254.169.254, InitiatingProcessFileName=powershell.exe. The RemoteUrl field will contain the metadata identity path.

  2. Test 2Read Kubernetes Service Account Token from Pod Filesystem

    Expected signal: Linux auditd syscall audit event for openat/read on /var/run/secrets/kubernetes.io/serviceaccount/token with the process name (cat or the shell). Sysmon for Linux Event ID 11 (if deployed) for file access. The token value (JWT) will be visible in any memory or command output capture.

  3. Test 3Enumerate and Exfiltrate Azure CLI Token Cache

    Expected signal: Sysmon Event ID 11: File access/creation event with TargetFilename matching *msal_token_cache.json and Image=powershell.exe. DeviceFileEvents in MDE: FileName=msal_token_cache.json, ActionType=FileRead or FileAccessed, InitiatingProcessFileName=powershell.exe.

  4. Test 4Register Malicious OAuth App and Simulate Consent Phishing Link

    Expected signal: Azure AD AuditLogs OperationName='Add application' followed by 'Update application' with permissions modification. The registered app will appear in AuditLogs with the requesting user's UPN and source IP. If a test user clicks the generated consent URL, AuditLogs will show OperationName='Consent to application' with the scopes granted.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1528 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1550.001Application Access TokenT1552.005Cloud Instance Metadata APIT1539Steal Web Session CookieT1566.002Spearphishing LinkT1078.004Cloud AccountsT1098.001Additional Cloud CredentialsT1619Cloud Storage Object DiscoveryT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service Discovery

Same Tactic: Credential Access

Popular Detections