T1550.001 CrowdStrike LogScale · LogScale

Detect Application Access Token in CrowdStrike LogScale

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Sub-technique
T1550.001 Application Access Token
Canonical reference
https://attack.mitre.org/techniques/T1550/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// CrowdStrike Falcon — OAuth token abuse via endpoint process behavior
// Detects processes making automated API calls to Microsoft identity and cloud endpoints
// which is the endpoint manifestation of T1550.001 token theft and replay

#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(graph\.microsoft\.com|login\.microsoftonline\.com|outlook\.office365\.com|sharepoint\.com|vault\.azure\.net)/
| CommandLine = /(?i)(bearer|access_token|oauth|Authorization:|--header|curl|wget|python|invoke-webrequest|invoke-restmethod)/
| case {
    ImageFileName = /(?i)(\\python[0-9]*\.exe|\\curl\.exe|\\wget\.exe|\\powershell\.exe|\\pwsh\.exe)/ |
      ToolCategory := "Known HTTP tool" ;
    CommandLine = /(?i)(invoke-restmethod|invoke-webrequest|\$headers|bearer)/ |
      ToolCategory := "PowerShell API call" ;
    CommandLine = /(?i)(curl|wget|http\.get|requests\.get|fetch\()/ |
      ToolCategory := "Script HTTP client" ;
    * | ToolCategory := "Other"
  }
| groupBy(
    [ComputerName, UserName, ImageFileName, ToolCategory],
    function=[
      count(as=ApiCallCount),
      collect(field=CommandLine, limit=5, as=CommandSamples),
      min(field=@timestamp, as=FirstSeen),
      max(field=@timestamp, as=LastSeen),
      count(field=TargetProcessId, distinct=true, as=UniqueProcessInstances)
    ]
  )
| ApiCallCount > 10
| sort(ApiCallCount, order=desc)
| select([ComputerName, UserName, ImageFileName, ToolCategory, ApiCallCount, UniqueProcessInstances, CommandSamples, FirstSeen, LastSeen])

/* SUPPLEMENTAL: Hunt for credential/token files accessed before API calls */
// #event_simpleName = "MotionDetected"
// | TargetFileName = /(?i)(\.token|\.json|access_token|refresh_token|credential|\bauth\b)/
// | groupBy([ComputerName, UserName, TargetFileName], function=count(as=AccessCount))
// | AccessCount > 3
high severity medium confidence

Detects endpoint-side manifestations of OAuth application access token abuse (T1550.001) by identifying processes on workstations and servers making repeated automated HTTP calls to Microsoft identity endpoints (login.microsoftonline.com), Microsoft Graph, Exchange Online, SharePoint, or Azure Key Vault. While the primary token abuse occurs in the cloud, stolen tokens are typically deployed via scripts or tools running on attacker-controlled endpoints or compromised hosts. This query surfaces high-frequency API callers using known HTTP tools and scripting runtimes. Confidence is medium because legitimate automation tools trigger this pattern frequently — correlate with anomalous source hosts or off-hours execution for higher fidelity.

Data Sources

CrowdStrike Falcon Endpoint Detection — ProcessRollup2 eventsCrowdStrike Falcon Identity Threat Protection (if licensed) for direct Azure AD sign-in visibility

Required Tables

ProcessRollup2 (Falcon process execution events with command line logging enabled)NetworkConnectIP4 (optional — for correlating network connections to Microsoft API endpoints)

False Positives & Tuning

  • Legitimate DevOps and IT automation scripts (PowerShell runbooks, Python scripts, Terraform) that run on jump hosts or management servers to interact with Microsoft Graph or Azure REST APIs as part of normal infrastructure management
  • Security tools like Microsoft Defender for Endpoint, Azure Arc agents, or Intune management clients that make periodic calls to Microsoft cloud APIs for telemetry, policy sync, or health reporting
  • Developer workstations running local development tools (VS Code Azure extensions, Azure CLI, Graph Explorer) that generate API calls while engineers test integrations or debug cloud applications
Download portable Sigma rule (.yml)

Other platforms for T1550.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1OAuth Refresh Token Exchange for Microsoft Graph Access Token

    Expected signal: AADNonInteractiveUserSignInLogs entry: ResultType=0, AuthenticationRequirement=singleFactorAuthentication, ClientAppUsed=MSAL (or legacy), AppId matching CLIENT_ID, ResourceDisplayName=Microsoft Graph. The user-agent will be curl/x.x.x, triggering the HasSuspiciousAgent filter.

  2. Test 2Microsoft Graph API Mailbox Enumeration Using Stolen Bearer Token

    Expected signal: Microsoft 365 Unified Audit Log: MailItemsAccessed and MessageBind operations generated per message accessed; FileAccessed for drive enumeration — all attributed to the AppId that issued the token. AADNonInteractiveUserSignInLogs shows a non-interactive sign-in for Microsoft Graph resource with AuthenticationRequirement=singleFactorAuthentication.

  3. Test 3AWS STS GetFederationToken for Persistent Secondary Credential

    Expected signal: AWS CloudTrail event: eventName=GetFederationToken, eventSource=sts.amazonaws.com, userIdentity.type=IAMUser, requestParameters.name=df00tech-test-session. Subsequent GetCallerIdentity shows userIdentity.type=FederatedUser, confirming token independence.

  4. Test 4Kubernetes Service Account Token Lateral Movement

    Expected signal: Kubernetes API server audit log: authentication events with userInfo.username=system:serviceaccount:<namespace>:<serviceaccount>, verb=list, resource=secrets, namespace=<namespace>. Cross-namespace kube-system access attempt appears as a separate event with responseStatus.code=403 (if RBAC is properly configured). In EKS, AKS, and GKE these events appear in CloudTrail, Azure Monitor, and Cloud Audit Logs respectively.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.002Pass the HashT1550.003Pass the TicketT1550.004Web Session Cookie

Related Techniques

T1550Use Alternate Authentication MaterialT1528Steal Application Access TokenT1566.002Spearphishing LinkT1098.003Additional Cloud RolesT1078.004Cloud AccountsT1539Steal Web Session CookieT1114.002Remote Email CollectionT1213.002SharepointT1136.003Cloud AccountT1485.001Lifecycle-Triggered Deletion

Same Tactic: Defense Evasion

Popular Detections