Detect Application Access Token in Elastic Security
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.001 Application Access Token
- Canonical reference
- https://attack.mitre.org/techniques/T1550/001/
Elastic Detection Query
authentication where event.outcome == "success"
and event.dataset == "azure.signinlogs"
and azure.signinlogs.properties.is_interactive == false
and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
and azure.signinlogs.properties.conditional_access_status in ("notApplied", "disabled", "notEnabled")
and (
azure.signinlogs.properties.user_agent like~ ("python-requests*", "curl/*", "wget/*", "Go-http-client*", "okhttp/*", "node-fetch*", "axios/*", "PostmanRuntime*", "libcurl*", "ruby*", "aiohttp*", "httpx*", "java/*")
or azure.signinlogs.properties.resource_display_name in~ ("Microsoft Graph", "Office 365 Exchange Online", "SharePoint Online", "Microsoft Teams", "OneDrive", "Azure Key Vault", "Windows Azure Service Management API")
)
/* Pair with Elastic SIEM threshold rule: group by azure.signinlogs.properties.user_principal_name,
azure.signinlogs.properties.ip_address over 1h, alert when count >= 5 or distinct
azure.signinlogs.properties.resource_display_name >= 3 or distinct
azure.signinlogs.properties.ip_address >= 2 */Detects suspicious non-interactive (token-based) authentication to Microsoft cloud resources that bypasses MFA. Focuses on automated user agents (scripting tools, HTTP libraries) and access to sensitive resources like Microsoft Graph, Exchange Online, and SharePoint. Token-based access is a hallmark of stolen OAuth token abuse where adversaries leverage long-lived tokens that remain valid even after password resets. Configure as a threshold rule in Elastic SIEM: alert when the same user accumulates 10+ events, 3+ distinct resources, or 2+ distinct source IPs within a 1-hour window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate service accounts and automation pipelines using service principals with client credential flows — these generate non-interactive sign-ins with script-like user agents at high volume
- DevOps CI/CD systems (GitHub Actions, Azure DevOps) authenticating to Microsoft Graph or Azure APIs using managed identities or service principals during automated deployments
- Monitoring and observability tools (Datadog, Dynatrace, custom scripts) that periodically poll Microsoft 365 APIs using OAuth tokens for health checks or metric collection
Other platforms for T1550.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1OAuth Refresh Token Exchange for Microsoft Graph Access Token
Expected signal: AADNonInteractiveUserSignInLogs entry: ResultType=0, AuthenticationRequirement=singleFactorAuthentication, ClientAppUsed=MSAL (or legacy), AppId matching CLIENT_ID, ResourceDisplayName=Microsoft Graph. The user-agent will be curl/x.x.x, triggering the HasSuspiciousAgent filter.
- Test 2Microsoft Graph API Mailbox Enumeration Using Stolen Bearer Token
Expected signal: Microsoft 365 Unified Audit Log: MailItemsAccessed and MessageBind operations generated per message accessed; FileAccessed for drive enumeration — all attributed to the AppId that issued the token. AADNonInteractiveUserSignInLogs shows a non-interactive sign-in for Microsoft Graph resource with AuthenticationRequirement=singleFactorAuthentication.
- Test 3AWS STS GetFederationToken for Persistent Secondary Credential
Expected signal: AWS CloudTrail event: eventName=GetFederationToken, eventSource=sts.amazonaws.com, userIdentity.type=IAMUser, requestParameters.name=df00tech-test-session. Subsequent GetCallerIdentity shows userIdentity.type=FederatedUser, confirming token independence.
- Test 4Kubernetes Service Account Token Lateral Movement
Expected signal: Kubernetes API server audit log: authentication events with userInfo.username=system:serviceaccount:<namespace>:<serviceaccount>, verb=list, resource=secrets, namespace=<namespace>. Cross-namespace kube-system access attempt appears as a separate event with responseStatus.code=403 (if RBAC is properly configured). In EKS, AKS, and GKE these events appear in CloudTrail, Azure Monitor, and Cloud Audit Logs respectively.
References (12)
- https://attack.mitre.org/techniques/T1550/001/
- https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
- https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailitemsaccessed
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
- https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
- https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://github.com/dafthack/GraphRunner
- https://github.com/mandiant/Mandiant-Azure-AD-Investigator
- https://github.com/inguardians/peirates
Unlock Pro Content
Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.