Steal Application Access Token T1528

Events covered

7 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 73 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (154 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (525 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (86 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 15 rules

• Anomalous Token
• Anonymous IP Address
• App Granted Microsoft Permissions
• Application URI Configuration Changes
• Delegated Permissions Granted For All Users
• End User Consent
• End User Consent Blocked
• HackTool - Koh Default Named Pipe
• High Risk Actions - copying of the most powerful token through API Explorer
• High risk event - risk of copying client credentials
• Potentially Suspicious Command Targeting Teams Sensitive Files
• Potentially Suspicious JWT Token Search Via CLI
• Primary Refresh Token Access Attempt
• Renamed BrowserCore.EXE Execution
• Suspicious Teams Application Related ObjectAcess Event

Elastic 25 rules

• Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
• Entra ID Concurrent Sign-in with Suspicious Properties
• Entra ID Illicit Consent Grant via Registered Application
• Entra ID Kali365 Default User-Agent Detected
• Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
• Entra ID OAuth Device Code Flow with Concurrent Sign-ins
• Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
• Entra ID OAuth Phishing via First-Party Microsoft Application
• Entra ID OAuth PRT Issuance to Non-Managed Device Detected
• Entra ID User Added as Registered Application Owner
• Entra ID User Sign-in with Unusual Client
• GitHub Authentication Token Access via Node.js
• Google Workspace Login Flagged Suspicious
• Google Workspace User Login with Unusual ASN
• Kubernetes and Cloud Credential Path Access via Process Arguments
• Kubernetes Service Account Secret Access
• M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
• M365 Identity OAuth Flow by User Sign-in to Device Registration
• M365 Identity OAuth Illicit Consent Grant by Rare Client and User
• M365 Identity Unusual SSO Authentication Errors for User
• Microsoft Graph Request User Impersonation by Unusual Client
• Multi-Cloud CLI Token and Credential Access Commands
• New GitHub Personal Access Token (PAT) Added
• Potential Impersonation Attempt via Kubectl
• Service Account Token or Certificate Access Followed by Kubernetes API Request

Splunk 8 rules

• Azure AD Device Code Authentication
• Azure AD OAuth Application Consent Granted By User
• Azure AD User Consent Blocked for Risky Application
• Azure AD User Consent Denied for OAuth Application
• O365 File Permissioned Application Consent Granted by User
• O365 Mail Permissioned Application Consent Granted by User
• O365 User Consent Blocked for Risky Application
• O365 User Consent Denied for OAuth Application

Kusto 14 rules

• API - JWT validation
• Azure DevOps PAT used with Browser
• Dataverse - Anomalous application user activity
• Detect device token stealing with WDAC
• Expired access credentials being used in Azure
• Identify instances where a single source is observed using multiple user agents (ASIM Web Session)
• Microsoft Entra ID Hybrid Health AD FS Suspicious Application
• Suspicious application consent for offline access
• Suspicious application consent similar to O365 Attack Toolkit
• Suspicious application consent similar to PwnAuth
• Suspicious Entra ID Joined Device Update
• Suspicious Service Principal creation activity
• Trust Monitor Event
• Zero Networks Segment - New API Token created

Panther 11 rules

• AppOmni Alert Passthrough
• Auth0 Refresh Token Reused
• AWS Potentially Stolen Service Role
• Azure VS Code OAuth Phishing
• Kubernetes System Principal Accessed from Non-Cloud Public IP
• Okta AD Agent Authentication Anomaly - Z-Score Detection
• Okta AD Agent Token Abuse - Behavioral
• Okta API Key Created
• Salesforce OAuth Credential Abuse Detection
• Salesforce Third-Party Integration Monitoring
• Zendesk API Token Created