title: Steal Application Access Token (T1528)
id: df00tech-t1528
status: experimental
description: "Adversaries may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens — including OAuth 2.0 tokens, Kubernetes service account tokens, cloud provider temporary credentials (Azure Managed Identity via IMDS, AWS STS instance role credentials, GCP service account tokens), and CI/CD pipeline secrets — authorize API requests on behalf of users or services. Token theft enables adversaries to impersonate legitimate identities, access cloud resources and SaaS platforms with the victim's permissions, and move laterally without requiring plaintext passwords. Real-world examples include APT29 stealing OAuth tokens via malicious application consent phishing, APT28 creating fraudulent OAuth apps masquerading as Google services, and threat actors exploiting compromised containers to extract Kubernetes service account tokens via the pod filesystem."
references:
  - https://attack.mitre.org/techniques/T1528/
  - https://df00tech.com/detections/T1528
author: df00tech
date: 2026/04/20
tags:
  - attack.t1528
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security scanning tools and vulnerability assessment agents that enumerate IMDS endpoints as part of cloud posture checks (e.g., Prisma Cloud, Wiz, Orca)"
  - "Developer workstations where developers legitimately use multiple cloud CLIs (gcloud, az, aws) and IDEs that access token caches on behalf of the user"
  - Legitimate Kubernetes operators and custom controllers that mount and read service account tokens as part of their normal authentication flow to the Kubernetes API
  - "CI/CD pipeline agents (GitHub Actions runner, GitLab Runner, Jenkins agent) that access cloud credentials and token caches as part of authorized deployment workflows"
  - "IT administration scripts that use OAuth tokens for legitimate bulk operations (e.g., Microsoft Graph scripts for user provisioning, Azure automation runbooks)"
level: high