T1528 Splunk · SPL

Detect Steal Application Access Token in Splunk

Adversaries may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens — including OAuth 2.0 tokens, Kubernetes service account tokens, cloud provider temporary credentials (Azure Managed Identity via IMDS, AWS STS instance role credentials, GCP service account tokens), and CI/CD pipeline secrets — authorize API requests on behalf of users or services. Token theft enables adversaries to impersonate legitimate identities, access cloud resources and SaaS platforms with the victim's permissions, and move laterally without requiring plaintext passwords. Real-world examples include APT29 stealing OAuth tokens via malicious application consent phishing, APT28 creating fraudulent OAuth apps masquerading as Google services, and threat actors exploiting compromised containers to extract Kubernetes service account tokens via the pod filesystem.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1528 Steal Application Access Token
Canonical reference
https://attack.mitre.org/techniques/T1528/

SPL Detection Query

Splunk (SPL)
spl 
| union
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    DestinationIp="169.254.169.254"
    NOT (Image="*\\waagent.exe" OR Image="*\\WindowsAzureGuestAgent.exe" OR Image="*\\WaAppAgent.exe" OR Image="*\\MonAgentCore.exe" OR Image="*\\HealthService.exe")
  | eval Vector="IMDS Token Request"
  | eval TokenPlatform=case(
      match(DestinationHostname, "metadata.*identity"), "Azure Managed Identity",
      match(DestinationHostname, "iam.*credentials"), "AWS Instance Role",
      1=1, "Cloud IMDS")
  | eval RiskDetail=Image." queried cloud IMDS endpoint: ".DestinationHostname
  | eval Actor=User
  | table _time, host, Actor, Image, CommandLine, DestinationIp, DestinationHostname, Vector, TokenPlatform, RiskDetail ],

  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (TargetFilename="*/var/run/secrets/kubernetes.io/serviceaccount/token*"
      OR TargetFilename="*/run/secrets/kubernetes.io*token*"
      OR TargetFilename="*msal_token_cache*"
      OR TargetFilename="*accessTokens.json*"
      OR TargetFilename="*application_default_credentials.json*"
      OR TargetFilename="*.git-credentials*")
    NOT (Image="*\\kubelet*" OR Image="*\\containerd*" OR Image="*\\gcloud*" OR Image="*\\az.exe" OR Image="*\\aws.exe")
  | eval Vector=case(
      match(TargetFilename, "kubernetes.io"), "Kubernetes Service Account Token",
      match(TargetFilename, "msal|accessTokens|azureProfile"), "Azure OAuth Token Cache",
      match(TargetFilename, "application_default"), "GCP Token Cache",
      match(TargetFilename, "git-credentials"), "Git Credential Token",
      1=1, "OAuth Token File")
  | eval TokenPlatform=case(
      match(TargetFilename, "kubernetes.io"), "Kubernetes",
      match(TargetFilename, "msal|azure|accessTokens"), "Azure",
      match(TargetFilename, "application_default|gcloud"), "GCP",
      match(TargetFilename, "git-credentials"), "GitHub/Git",
      1=1, "Multi-Cloud")
  | eval RiskDetail=Image." created/modified token file: ".TargetFilename
  | eval Actor=User
  | table _time, host, Actor, Image, CommandLine, TargetFilename, Vector, TokenPlatform, RiskDetail ],

  [ search index=o365 sourcetype="o365:management:activity"
    (Operation="Consent to application" OR Operation="Add app role assignment to service principal" OR Operation="Add OAuth2PermissionGrant")
    (Scope="Mail.ReadWrite" OR Scope="Files.ReadWrite.All" OR Scope="User.Read.All" OR Scope="Directory.ReadWrite.All" OR Scope="offline_access" OR ModifiedProperties="*Mail.Read*" OR ModifiedProperties="*full_access*")
  | eval Vector="OAuth High-Privilege Consent Grant"
  | eval TokenPlatform="Azure AD / Microsoft 365"
  | eval RiskDetail="User ".UserId." consented to high-privilege OAuth app from IP: ".ClientIP
  | eval Actor=UserId
  | table _time, ClientIP, Actor, Operation, ModifiedProperties, Vector, TokenPlatform, RiskDetail ]

| eval SuspicionScore=case(
    Vector="IMDS Token Request", 3,
    Vector="Kubernetes Service Account Token", 3,
    Vector="OAuth High-Privilege Consent Grant", 4,
    Vector="Azure OAuth Token Cache", 2,
    Vector="GCP Token Cache", 2,
    Vector="Git Credential Token", 2,
    1=1, 1)
| sort - _time
| table _time, host, Actor, Image, CommandLine, Vector, TokenPlatform, RiskDetail, SuspicionScore
high severity medium confidence

Multi-vector Splunk detection for application access token theft. Covers three attack patterns using a union: (1) Sysmon Event ID 3 network connections to 169.254.169.254 (cloud IMDS) from processes other than legitimate Azure agents; (2) Sysmon Event ID 11 file creation events matching Kubernetes service account token paths and cloud CLI credential cache files written by unexpected processes; (3) Office 365 management activity logs showing OAuth consent grants with high-privilege scopes (Mail.ReadWrite, Files.ReadWrite.All, etc.). Each detection vector adds a suspicion score to help analysts prioritize. Requires Sysmon with FileCreate and NetworkConnect logging and the o365 add-on for OAuth consent coverage.

Data Sources

Network: Network Connection CreationFile: File CreationApplication Log: Application Log ContentSysmon Event ID 3Sysmon Event ID 11Office 365 Management Activity

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalo365:management:activity

False Positives & Tuning

  • Security posture tools (Prisma Cloud, Wiz, Orca) scanning IMDS endpoints as part of cloud configuration assessment
  • Developer tools and IDEs that legitimately write updated OAuth token caches when refreshing credentials during normal development workflows
  • Kubernetes operators and admission webhooks that mount and interact with service account tokens as part of their design
  • IT automation runbooks using Office 365 or Graph API OAuth tokens for legitimate administrative tasks such as bulk user provisioning or compliance reporting
  • CI/CD agents refreshing cloud credentials — look for parent process context (jenkins-agent, runner, etc.) to differentiate from interactive token theft
Download portable Sigma rule (.yml)

Other platforms for T1528

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Query Azure IMDS Endpoint for Managed Identity Token

    Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 169.254.169.254:80. DeviceNetworkEvents in MDE: RemoteIP=169.254.169.254, InitiatingProcessFileName=powershell.exe. The RemoteUrl field will contain the metadata identity path.

  2. Test 2Read Kubernetes Service Account Token from Pod Filesystem

    Expected signal: Linux auditd syscall audit event for openat/read on /var/run/secrets/kubernetes.io/serviceaccount/token with the process name (cat or the shell). Sysmon for Linux Event ID 11 (if deployed) for file access. The token value (JWT) will be visible in any memory or command output capture.

  3. Test 3Enumerate and Exfiltrate Azure CLI Token Cache

    Expected signal: Sysmon Event ID 11: File access/creation event with TargetFilename matching *msal_token_cache.json and Image=powershell.exe. DeviceFileEvents in MDE: FileName=msal_token_cache.json, ActionType=FileRead or FileAccessed, InitiatingProcessFileName=powershell.exe.

  4. Test 4Register Malicious OAuth App and Simulate Consent Phishing Link

    Expected signal: Azure AD AuditLogs OperationName='Add application' followed by 'Update application' with permissions modification. The registered app will appear in AuditLogs with the requesting user's UPN and source IP. If a test user clicks the generated consent URL, AuditLogs will show OperationName='Consent to application' with the scopes granted.

Last updated: 2026-04-20 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1528 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1550.001Application Access TokenT1552.005Cloud Instance Metadata APIT1539Steal Web Session CookieT1566.002Spearphishing LinkT1078.004Cloud AccountsT1098.001Additional Cloud CredentialsT1619Cloud Storage Object DiscoveryT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service Discovery

Same Tactic: Credential Access

Popular Detections