Detect Application Access Token in Google Chronicle
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.001 Application Access Token
- Canonical reference
- https://attack.mitre.org/techniques/T1550/001/
YARA-L Detection Query
rule t1550_001_application_access_token_abuse {
meta:
author = "df00tech"
description = "Detects stolen OAuth application access token abuse via non-interactive single-factor authentication to sensitive Microsoft cloud resources from automated HTTP clients"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Defense Evasion, Lateral Movement"
mitre_attack_technique = "T1550.001"
mitre_attack_url = "https://attack.mitre.org/techniques/T1550/001/"
reference = "APT28 OAuth phishing, HAFNIUM token theft, Peirates Kubernetes service account token abuse"
version = "1.0"
events:
$auth.metadata.event_type = "USER_LOGIN"
$auth.metadata.product_name = "Azure Active Directory"
$auth.extensions.auth.auth_details = "NonInteractive"
$auth.security_result.action = "ALLOW"
(
re.regex($auth.network.http.user_agent,
`(?i)(python-requests|curl/|wget/|go-http-client|okhttp/|node-fetch|axios/|postmanruntime|libcurl|ruby|aiohttp|httpx|java/)`)
or $auth.target.application.asset_id in (
"Microsoft Graph",
"Office 365 Exchange Online",
"SharePoint Online",
"Microsoft Teams",
"OneDrive",
"Azure Key Vault",
"Windows Azure Service Management API"
)
)
$auth.extensions.auth.mechanism != "MECHANISM_UNSPECIFIED"
not $auth.extensions.auth.auth_details = "Interactive"
$auth.principal.user.email_addresses = $user
$auth.principal.ip = $src_ip
match:
$user over 1h
outcome:
$risk_score = max(
if(#auth > 50, 95,
if(#auth > 20, 80,
if(#auth > 10, 65, 50)))
)
$token_use_count = count_distinct($auth.metadata.id)
$unique_ips = count_distinct($src_ip)
$resources_accessed = array_distinct($auth.target.application.asset_id)
$user_agents = array_distinct($auth.network.http.user_agent)
$source_ips = array_distinct($src_ip)
condition:
#auth > 10 or count_distinct($src_ip) >= 2
}Chronicle YARA-L 2.0 rule detecting OAuth application access token abuse in Microsoft Azure AD environments. Matches non-interactive successful authentications using automated HTTP client user agents or targeting high-value Microsoft cloud resources, then aggregates per user over 1-hour windows. Triggers on 10+ token uses in 1 hour or 2+ distinct source IPs using the same identity — the multi-IP pattern is the strongest indicator of a stolen token being replayed from adversary infrastructure.
Data Sources
Required Tables
False Positives & Tuning
- Service accounts used by automation platforms (Terraform, Ansible, Azure DevOps pipelines) that authenticate to Azure management APIs from multiple runner agents or ephemeral cloud instances, producing legitimate multi-IP token use patterns
- Federated identity scenarios where employees authenticate through a corporate identity provider that proxies requests through multiple egress IPs, making single tokens appear to originate from different addresses
- Microsoft's own first-party apps and background services (Exchange health probes, SharePoint crawlers) that use non-interactive delegated token flows internally and may be ingested into Chronicle as user-attributed events
Other platforms for T1550.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1OAuth Refresh Token Exchange for Microsoft Graph Access Token
Expected signal: AADNonInteractiveUserSignInLogs entry: ResultType=0, AuthenticationRequirement=singleFactorAuthentication, ClientAppUsed=MSAL (or legacy), AppId matching CLIENT_ID, ResourceDisplayName=Microsoft Graph. The user-agent will be curl/x.x.x, triggering the HasSuspiciousAgent filter.
- Test 2Microsoft Graph API Mailbox Enumeration Using Stolen Bearer Token
Expected signal: Microsoft 365 Unified Audit Log: MailItemsAccessed and MessageBind operations generated per message accessed; FileAccessed for drive enumeration — all attributed to the AppId that issued the token. AADNonInteractiveUserSignInLogs shows a non-interactive sign-in for Microsoft Graph resource with AuthenticationRequirement=singleFactorAuthentication.
- Test 3AWS STS GetFederationToken for Persistent Secondary Credential
Expected signal: AWS CloudTrail event: eventName=GetFederationToken, eventSource=sts.amazonaws.com, userIdentity.type=IAMUser, requestParameters.name=df00tech-test-session. Subsequent GetCallerIdentity shows userIdentity.type=FederatedUser, confirming token independence.
- Test 4Kubernetes Service Account Token Lateral Movement
Expected signal: Kubernetes API server audit log: authentication events with userInfo.username=system:serviceaccount:<namespace>:<serviceaccount>, verb=list, resource=secrets, namespace=<namespace>. Cross-namespace kube-system access attempt appears as a separate event with responseStatus.code=403 (if RBAC is properly configured). In EKS, AKS, and GKE these events appear in CloudTrail, Azure Monitor, and Cloud Audit Logs respectively.
References (12)
- https://attack.mitre.org/techniques/T1550/001/
- https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
- https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailitemsaccessed
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
- https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
- https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://github.com/dafthack/GraphRunner
- https://github.com/mandiant/Mandiant-Azure-AD-Investigator
- https://github.com/inguardians/peirates
Unlock Pro Content
Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.