Which SIEM platforms have a T1528 detection rule?

df00tech provides T1528 (Steal Application Access Token) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Steal Application Access Token (T1528)?

Detecting Steal Application Access Token requires the following data sources: Network: Network Connection Creation, File: File Access, Application Log: Application Log Content, Cloud Service: Cloud Service Metadata, Azure Active Directory: Audit Logs.

What severity and confidence is the T1528 detection?

The T1528 detection is rated high severity with medium confidence.

What are common false positives for T1528?

Common false positives for T1528 include: Security scanning tools and vulnerability assessment agents that enumerate IMDS endpoints as part of cloud posture checks (e.g., Prisma Cloud, Wiz, Orca); Developer workstations where developers legitimately use multiple cloud CLIs (gcloud, az, aws) and IDEs that access token caches on behalf of the user; Legitimate Kubernetes operators and custom controllers that mount and read service account tokens as part of their normal authentication flow to the Kubernetes API.

T1528 Sumo Logic CSE · Sumo

Detect Steal Application Access Token in Sumo Logic CSE

Adversaries may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens — including OAuth 2.0 tokens, Kubernetes service account tokens, cloud provider temporary credentials (Azure Managed Identity via IMDS, AWS STS instance role credentials, GCP service account tokens), and CI/CD pipeline secrets — authorize API requests on behalf of users or services. Token theft enables adversaries to impersonate legitimate identities, access cloud resources and SaaS platforms with the victim's permissions, and move laterally without requiring plaintext passwords. Real-world examples include APT29 stealing OAuth tokens via malicious application consent phishing, APT28 creating fraudulent OAuth apps masquerading as Google services, and threat actors exploiting compromised containers to extract Kubernetes service account tokens via the pod filesystem.

MITRE ATT&CK

Tactic: Credential Access
Technique: T1528 Steal Application Access Token
Canonical reference: https://attack.mitre.org/techniques/T1528/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_index=sec_record* OR _sourceCategory=*endpoint* OR _sourceCategory=*windows* OR _sourceCategory=*linux* OR _sourceCategory=*azure* OR _sourceCategory=*o365*)
| where (
    // Vector 1: IMDS token requests from unexpected processes
    (
      dstDevice_ip = "169.254.169.254"
      and (
        http_url matches "*metadata/identity*"
        or http_url matches "*iam/security-credentials*"
        or http_url matches "*computeMetadata/v1/instance/service-accounts*"
        or http_url matches "*metadata/instance*"
      )
      and not (
        application matches "*waagent*"
        or application matches "*WindowsAzureGuestAgent*"
        or application matches "*WaAppAgent*"
        or application matches "*MonAgentCore*"
        or application matches "*HealthService*"
        or application matches "*azd*"
        or application matches "*AzureCLI*"
      )
    )
    or
    // Vector 2: Kubernetes service account token file reads by unexpected processes
    (
      normalizedAction in ("open", "read", "access")
      and (
        file_path matches "*/var/run/secrets/kubernetes.io/serviceaccount/*"
        or file_path matches "*/run/secrets/kubernetes.io/*"
        or file_path matches "*/var/run/secrets/tokens/*"
      )
      and not (
        application matches "*kubelet*"
        or application matches "*pause*"
        or application matches "*containerd*"
        or application matches "*runc*"
        or application matches "*cri-o*"
        or application matches "*dockerd*"
      )
    )
    or
    // Vector 3: OAuth and cloud CLI token cache file access by unexpected processes
    (
      normalizedAction in ("open", "read", "access", "modify")
      and (
        file_path matches "*msal_token_cache*"
        or file_path matches "*accessTokens.json*"
        or file_path matches "*application_default_credentials.json*"
        or file_path matches "*azureProfile.json*"
        or file_path matches "*.git-credentials*"
        or file_path matches "*TokenCache.dat*"
        or (file_path matches "*/.config/gcloud/*" and file_path matches "*.json")
        or (file_path matches "*/.azure/*" and file_path matches "*.json")
      )
      and not (
        application matches "*gcloud*"
        or application matches "*/aws"
        or application matches "*aws.exe*"
        or application matches "*/az"
        or application matches "*az.exe*"
        or application matches "*/gh"
        or application matches "*gh.exe*"
        or application matches "*/git"
        or application matches "*git.exe*"
        or application matches "*terraform*"
        or application matches "*kubectl*"
        or application matches "*Code.exe*"
        or application matches "*/code"
      )
    )
    or
    // Vector 4: High-privilege OAuth consent grants
    (
      normalizedAction in ("Consent to application", "Add app role assignment to service principal", "Add OAuth2PermissionGrant", "Add delegated permission grant")
      and (
        ModifiedProperties matches "*Mail.ReadWrite*"
        or ModifiedProperties matches "*Files.ReadWrite.All*"
        or ModifiedProperties matches "*User.Read.All*"
        or ModifiedProperties matches "*Directory.ReadWrite.All*"
        or ModifiedProperties matches "*offline_access*"
        or ModifiedProperties matches "*full_access_as_user*"
        or ModifiedProperties matches "*EWS.AccessAsUser.All*"
      )
    )
  )
| if(dstDevice_ip = "169.254.169.254", "IMDS Token Request",
    if(file_path matches "*kubernetes.io*", "Kubernetes Service Account Token",
    if(file_path matches "*msal*" or file_path matches "*/.azure/*" or file_path matches "*accessTokens*", "Azure OAuth Token Cache",
    if(file_path matches "*application_default*" or file_path matches "*/.config/gcloud/*", "GCP Token Cache",
    if(file_path matches "*.git-credentials*", "Git Credential Token",
    if(normalizedAction in ("Consent to application", "Add OAuth2PermissionGrant", "Add delegated permission grant"), "OAuth Consent Grant",
    "Unknown")))))) as vector
| if(file_path matches "*kubernetes.io*", "Kubernetes",
    if(file_path matches "*msal*" or file_path matches "*/.azure/*", "Azure",
    if(file_path matches "*application_default*" or file_path matches "*/.config/gcloud/*", "GCP",
    if(file_path matches "*.git-credentials*", "GitHub/Git",
    if(dstDevice_ip = "169.254.169.254" and http_url matches "*metadata/identity*", "Azure Managed Identity",
    if(dstDevice_ip = "169.254.169.254" and http_url matches "*iam/security-credentials*", "AWS Instance Role",
    if(dstDevice_ip = "169.254.169.254" and http_url matches "*service-accounts*", "GCP Service Account",
    "Multi-Cloud"))))))) as tokenPlatform
| if(vector in ("IMDS Token Request", "Kubernetes Service Account Token"), 3,
    if(vector = "OAuth Consent Grant", 4,
    if(vector in ("Azure OAuth Token Cache", "GCP Token Cache", "Git Credential Token"), 2, 1))) as suspicionScore
| count by _messageTime, srcDevice_hostname, user_username, application, commandLine, file_path, http_url, vector, tokenPlatform, suspicionScore
| sort by _messageTime desc

high severity high confidence

Detects T1528 application access token theft in Sumo Logic Cloud SIEM Enterprise using normalized CSE schema fields across four detection vectors: (1) network connections to the IMDS link-local IP from processes outside the approved cloud agent list; (2) file system access to Kubernetes service account token paths by non-orchestration processes; (3) reads or modifications to OAuth and cloud CLI token cache files (MSAL, GCP ADC, Azure CLI, Git credentials) from untrusted processes; and (4) high-privilege OAuth application consent events with sensitive Microsoft 365 permission scopes. Requires Cloud SIEM Enterprise with endpoint telemetry mapped to the normalized schema (dstDevice_ip, http_url, file_path, application, normalizedAction, user_username). Adjust field names to match your Sumo Logic field extraction configuration if not using CSE normalized fields.

Data Sources

Sumo Logic Cloud SIEM Enterprise (CSE) normalized schemaEndpoint telemetry via Sumo Logic installed collector with Windows or Linux sourceMicrosoft Azure AD audit logs via Sumo Logic Azure Audit sourceMicrosoft Office 365 activity logs via Sumo Logic M365 Audit sourceLinux auditd logs via Sumo Logic syslog source with field extraction

Required Tables

sec_record* (Cloud SIEM normalized records index)CSE normalized fields: dstDevice_ip, http_url, file_path, application, normalizedAction, commandLineCSE normalized fields: user_username, srcDevice_hostnameAzure AD audit field: ModifiedProperties (extracted from raw Office 365 or Azure AD log)

False Positives & Tuning

Cloud VM monitoring agents (Azure Monitor Agent, Amazon CloudWatch Agent, Google Cloud Ops Agent) legitimately contact 169.254.169.254 for token refresh and instance metadata — verify against your approved cloud agent binary inventory and adjust the application exclusion list per environment
Kubernetes admission controllers, operators, and init containers access service account tokens during pod scheduling and cluster API authentication — correlate with known Kubernetes node srcDevice_hostname values and system namespace service accounts before escalating
Security posture management tools (Wiz, Orca, Lacework) and secrets scanning agents performing credential exposure audits may read token cache files during scheduled scans — validate against your security tool deployment schedule and service account user_username values

Download portable Sigma rule (.yml)

Other platforms for T1528

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Query Azure IMDS Endpoint for Managed Identity Token
Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 169.254.169.254:80. DeviceNetworkEvents in MDE: RemoteIP=169.254.169.254, InitiatingProcessFileName=powershell.exe. The RemoteUrl field will contain the metadata identity path.
Test 2Read Kubernetes Service Account Token from Pod Filesystem
Expected signal: Linux auditd syscall audit event for openat/read on /var/run/secrets/kubernetes.io/serviceaccount/token with the process name (cat or the shell). Sysmon for Linux Event ID 11 (if deployed) for file access. The token value (JWT) will be visible in any memory or command output capture.
Test 3Enumerate and Exfiltrate Azure CLI Token Cache
Expected signal: Sysmon Event ID 11: File access/creation event with TargetFilename matching *msal_token_cache.json and Image=powershell.exe. DeviceFileEvents in MDE: FileName=msal_token_cache.json, ActionType=FileRead or FileAccessed, InitiatingProcessFileName=powershell.exe.
Test 4Register Malicious OAuth App and Simulate Consent Phishing Link
Expected signal: Azure AD AuditLogs OperationName='Add application' followed by 'Update application' with permissions modification. The registered app will appear in AuditLogs with the requesting user's UPN and source IP. If a test user clicks the generated consent URL, AuditLogs will show OperationName='Consent to application' with the scopes granted.

Last updated: 2026-04-20 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1528 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Steal Application Access Token in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1528

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1528

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox