T1528 CrowdStrike LogScale · LogScale

Detect Steal Application Access Token in CrowdStrike LogScale

Adversaries may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens — including OAuth 2.0 tokens, Kubernetes service account tokens, cloud provider temporary credentials (Azure Managed Identity via IMDS, AWS STS instance role credentials, GCP service account tokens), and CI/CD pipeline secrets — authorize API requests on behalf of users or services. Token theft enables adversaries to impersonate legitimate identities, access cloud resources and SaaS platforms with the victim's permissions, and move laterally without requiring plaintext passwords. Real-world examples include APT29 stealing OAuth tokens via malicious application consent phishing, APT28 creating fraudulent OAuth apps masquerading as Google services, and threat actors exploiting compromised containers to extract Kubernetes service account tokens via the pod filesystem.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1528 Steal Application Access Token
Canonical reference
https://attack.mitre.org/techniques/T1528/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1528 - Steal Application Access Token
// Detect IMDS token requests, Kubernetes token access, and OAuth token cache reads
// via CrowdStrike Falcon telemetry in LogScale

#event_simpleName in ("NetworkConnectIP4", "FileOpenInfo", "SuspiciousFileOpenInfo")
| case {
    // Vector 1: IMDS token requests from non-native processes
    #event_simpleName = "NetworkConnectIP4"
    AND RemoteAddressIP4 = "169.254.169.254"
    | where not ImageFileName = /waagent\.exe|WindowsAzureGuestAgent\.exe|WaAppAgent\.exe|MonAgentCore\.exe|HealthService\.exe|MMAExtensionHeartbeatService\.exe|AzureAttestService\.exe|azd\.exe|AzureCLI\.exe/i
    | vector := "IMDS Token Request"
    | tokenPlatform := "Cloud IMDS"
    | suspicionScore := 3;

    // Vector 2: Kubernetes service account token file reads by unexpected processes
    #event_simpleName in ("FileOpenInfo", "SuspiciousFileOpenInfo")
    AND TargetFileName = /\/var\/run\/secrets\/kubernetes\.io\/serviceaccount|\/run\/secrets\/kubernetes\.io|\/var\/run\/secrets\/tokens/
    | where not ImageFileName = /kubelet|pause|containerd-shim|containerd-shim-runc-v2|runc|cri-o|dockerd/i
    | vector := "Kubernetes Service Account Token"
    | tokenPlatform := "Kubernetes"
    | suspicionScore := 3;

    // Vector 3: OAuth and cloud CLI token cache file access by unexpected processes
    #event_simpleName in ("FileOpenInfo", "SuspiciousFileOpenInfo")
    AND TargetFileName = /msal_token_cache\.(json|bin)|accessTokens\.json|application_default_credentials\.json|azureProfile\.json|\.git-credentials|TokenCache\.dat|\.config\/gcloud\/.+\.json|\.azure\/.+\.json/i
    | where not ImageFileName = /gcloud(\.exe)?$|aws(\.exe)?$|az(\.exe)?$|gh(\.exe)?$|git(\.exe)?$|terraform(\.exe)?$|kubectl(\.exe)?$|Code\.exe$|^code$/i
    | vector := "OAuth Token Cache Access"
    | tokenPlatform := case(
        TargetFileName = /msal|\.azure/i, "Azure",
        TargetFileName = /application_default|\.config\/gcloud/i, "GCP",
        TargetFileName = /\.git-credentials/, "GitHub/Git",
        "Multi-Cloud"
      )
    | suspicionScore := 2;

    * | drop()
  }
| groupBy(
    [ComputerName, UserName, ImageFileName, TargetFileName, RemoteAddressIP4, vector, tokenPlatform],
    function=[
      count(as=eventCount),
      max(@timestamp, as=lastSeen),
      min(@timestamp, as=firstSeen),
      collect(CommandLine, limit=5, as=observedCommandLines)
    ]
  )
| suspicionScore := case(
    vector = "IMDS Token Request", 3,
    vector = "Kubernetes Service Account Token", 3,
    vector = "OAuth Token Cache Access", 2,
    1
  )
| riskLabel := case(
    suspicionScore >= 3, "HIGH",
    suspicionScore = 2, "MEDIUM",
    "LOW"
  )
| sort(lastSeen, order=desc)
high severity high confidence

Detects T1528 application access token theft in CrowdStrike LogScale using Falcon sensor telemetry across three vectors: (1) NetworkConnectIP4 events where RemoteAddressIP4 is 169.254.169.254 and the initiating ImageFileName is not in the cloud agent allowlist, indicating unauthorized IMDS credential requests; (2) FileOpenInfo or SuspiciousFileOpenInfo events targeting Kubernetes service account token paths from non-orchestration processes; and (3) file open events targeting OAuth and cloud CLI token cache files (MSAL, GCP ADC, Azure CLI, Git credentials) from processes outside the expected toolchain. Results are grouped by host, user, and process to surface repeated access patterns, with a suspicion score derived from vector type. Requires Falcon Insight XDR or Falcon LogScale with endpoint telemetry; FileOpenInfo events for sensitive paths require Falcon sensor configured with file monitoring at appropriate verbosity levels.

Data Sources

CrowdStrike Falcon Insight XDR endpoint sensor (NetworkConnectIP4, FileOpenInfo, SuspiciousFileOpenInfo)CrowdStrike LogScale (Humio) with Falcon Data Replicator or streaming connectorFalcon Prevent or Falcon Insight with Credential Theft and Process Hollowing prevention policiesFalcon sensor with high-verbosity file monitoring configured for sensitive credential paths

Required Tables

Falcon telemetry stream: NetworkConnectIP4 (RemoteAddressIP4, ImageFileName, CommandLine, ComputerName, UserName)Falcon telemetry stream: FileOpenInfo (TargetFileName, ImageFileName, CommandLine, ComputerName, UserName)Falcon telemetry stream: SuspiciousFileOpenInfo (TargetFileName, ImageFileName, ComputerName)LogScale fields: #event_simpleName, ComputerName, UserName, @timestamp

False Positives & Tuning

  • CrowdStrike's own sensor processes and cloud platform agents (Azure VM Agent, AWS SSM Agent, GCP OS Config daemon) generate NetworkConnectIP4 events to 169.254.169.254 legitimately — tune the ImageFileName exclusion regex to include all cloud agents present in your environment, including full path variants
  • Kubernetes node-level operations by kubelet, containerd-shim-runc-v2, and CRI-O generate FileOpenInfo events for service account tokens during normal pod lifecycle management — verify by checking ComputerName against known Kubernetes node inventory before escalating
  • CI/CD runners (GitHub Actions runner, GitLab Runner, Jenkins agent) executing cloud deployment pipelines may access cloud CLI token files under a service account — correlate with known runner ComputerName values, UserName service accounts, and pipeline execution windows
Download portable Sigma rule (.yml)

Other platforms for T1528

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query Azure IMDS Endpoint for Managed Identity Token

    Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 169.254.169.254:80. DeviceNetworkEvents in MDE: RemoteIP=169.254.169.254, InitiatingProcessFileName=powershell.exe. The RemoteUrl field will contain the metadata identity path.

  2. Test 2Read Kubernetes Service Account Token from Pod Filesystem

    Expected signal: Linux auditd syscall audit event for openat/read on /var/run/secrets/kubernetes.io/serviceaccount/token with the process name (cat or the shell). Sysmon for Linux Event ID 11 (if deployed) for file access. The token value (JWT) will be visible in any memory or command output capture.

  3. Test 3Enumerate and Exfiltrate Azure CLI Token Cache

    Expected signal: Sysmon Event ID 11: File access/creation event with TargetFilename matching *msal_token_cache.json and Image=powershell.exe. DeviceFileEvents in MDE: FileName=msal_token_cache.json, ActionType=FileRead or FileAccessed, InitiatingProcessFileName=powershell.exe.

  4. Test 4Register Malicious OAuth App and Simulate Consent Phishing Link

    Expected signal: Azure AD AuditLogs OperationName='Add application' followed by 'Update application' with permissions modification. The registered app will appear in AuditLogs with the requesting user's UPN and source IP. If a test user clicks the generated consent URL, AuditLogs will show OperationName='Consent to application' with the scopes granted.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1528 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1550.001Application Access TokenT1552.005Cloud Instance Metadata APIT1539Steal Web Session CookieT1566.002Spearphishing LinkT1078.004Cloud AccountsT1098.001Additional Cloud CredentialsT1619Cloud Storage Object DiscoveryT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service Discovery

Same Tactic: Credential Access

Popular Detections