T1550.001 IBM QRadar · QRadar

Detect Application Access Token in IBM QRadar

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Sub-technique
T1550.001 Application Access Token
Canonical reference
https://attack.mitre.org/techniques/T1550/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') as FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') as LastSeen,
  username as UserId,
  "Application" as AppId,
  COUNT(*) as AccessCount,
  CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) as UniqueIPs,
  ARRAY_AGG(DISTINCT sourceip LIMIT 5) as SourceIPs,
  ARRAY_AGG(DISTINCT QIDNAME(qid) LIMIT 5) as Operations,
  ARRAY_AGG(DISTINCT "User Agent" LIMIT 3) as UserAgents,
  CASE
    WHEN CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) >= 3 THEN 'HIGH — token used from 3+ distinct IPs, likely stolen or shared'
    WHEN COUNT(*) > 200 AND CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) >= 2 THEN 'HIGH — high-frequency scripted access from multiple IPs'
    WHEN CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) >= 2 THEN 'MEDIUM — token used from multiple source IPs'
    ELSE 'LOW'
  END as RiskScore
FROM events
WHERE
  LOGSOURCETYPEID IN (397, 475)  /* 397=Microsoft Office 365, 475=Microsoft Azure Active Directory */
  AND CATEGORYNAME(category) LIKE '%Authentication%'
  AND LOWER(PROTOCOLNAME(protocolid)) != 'interactive'
  AND (
    LOWER("User Agent") MATCHES '.*(python-requests|curl\/|wget\/|go-http-client|okhttp|node-fetch|axios|postmanruntime|libcurl|ruby|aiohttp|httpx|java\/).*'
    OR "Resource Name" IN ('Microsoft Graph', 'Office 365 Exchange Online', 'SharePoint Online', 'Microsoft Teams', 'OneDrive', 'Azure Key Vault', 'Windows Azure Service Management API')
  )
  AND "Authentication Requirement" = 'singleFactorAuthentication'
  AND QIDNAME(qid) NOT LIKE '%Failed%'
  AND QIDNAME(qid) NOT LIKE '%Failure%'
  LAST 24 HOURS
GROUP BY username, "Application"
HAVING AccessCount > 10 OR UniqueIPs >= 2
ORDER BY UniqueIPs DESC, AccessCount DESC
high severity medium confidence

Detects OAuth application access token abuse in Microsoft 365 and Azure AD environments by correlating non-interactive single-factor authentications from automated HTTP clients or targeting sensitive cloud resources. High UniqueIPs for a single user-application pair is the strongest signal of a stolen token being used from attacker infrastructure. Requires QRadar DSMs for Microsoft Office 365 (log source type 397) and/or Microsoft Azure Active Directory (475) with proper field extraction for User Agent and Resource Name.

Data Sources

Microsoft Office 365 DSM (QRadar log source type 397)Microsoft Azure Active Directory DSM (QRadar log source type 475)

Required Tables

events (QRadar normalized event store with O365 and Azure AD log sources configured)

False Positives & Tuning

  • Automated backup or archival services (Veeam, AvePoint, Druva) that authenticate to Exchange Online and SharePoint using service principal tokens at high frequency during scheduled backup windows
  • Third-party SaaS integrations (Salesforce, ServiceNow, Workday) configured to sync with Microsoft 365 using OAuth app registrations, generating batched API calls from their cloud infrastructure IPs
  • Security scanning tools and CASB solutions (Microsoft Defender for Cloud Apps, Netskope) that enumerate Microsoft Graph endpoints using delegated tokens to assess data exposure
Download portable Sigma rule (.yml)

Other platforms for T1550.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1OAuth Refresh Token Exchange for Microsoft Graph Access Token

    Expected signal: AADNonInteractiveUserSignInLogs entry: ResultType=0, AuthenticationRequirement=singleFactorAuthentication, ClientAppUsed=MSAL (or legacy), AppId matching CLIENT_ID, ResourceDisplayName=Microsoft Graph. The user-agent will be curl/x.x.x, triggering the HasSuspiciousAgent filter.

  2. Test 2Microsoft Graph API Mailbox Enumeration Using Stolen Bearer Token

    Expected signal: Microsoft 365 Unified Audit Log: MailItemsAccessed and MessageBind operations generated per message accessed; FileAccessed for drive enumeration — all attributed to the AppId that issued the token. AADNonInteractiveUserSignInLogs shows a non-interactive sign-in for Microsoft Graph resource with AuthenticationRequirement=singleFactorAuthentication.

  3. Test 3AWS STS GetFederationToken for Persistent Secondary Credential

    Expected signal: AWS CloudTrail event: eventName=GetFederationToken, eventSource=sts.amazonaws.com, userIdentity.type=IAMUser, requestParameters.name=df00tech-test-session. Subsequent GetCallerIdentity shows userIdentity.type=FederatedUser, confirming token independence.

  4. Test 4Kubernetes Service Account Token Lateral Movement

    Expected signal: Kubernetes API server audit log: authentication events with userInfo.username=system:serviceaccount:<namespace>:<serviceaccount>, verb=list, resource=secrets, namespace=<namespace>. Cross-namespace kube-system access attempt appears as a separate event with responseStatus.code=403 (if RBAC is properly configured). In EKS, AKS, and GKE these events appear in CloudTrail, Azure Monitor, and Cloud Audit Logs respectively.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.002Pass the HashT1550.003Pass the TicketT1550.004Web Session Cookie

Related Techniques

T1550Use Alternate Authentication MaterialT1528Steal Application Access TokenT1566.002Spearphishing LinkT1098.003Additional Cloud RolesT1078.004Cloud AccountsT1539Steal Web Session CookieT1114.002Remote Email CollectionT1213.002SharepointT1136.003Cloud AccountT1485.001Lifecycle-Triggered Deletion

Same Tactic: Defense Evasion

Popular Detections