Use Alternate Authentication Material: Application Access Token T1550.001
Tactic: Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
Events covered
6 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4624 | An account was successfully logged on. |
| Security-Auditing | Event ID 4625 | An account failed to log on. |
| Security-Auditing | Event ID 4648 | A logon was attempted using explicit credentials. |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| ESF | exec | Process Execution (Notify) |
Authoring guide
Patterns shared across the 55 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (140 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (395 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (162 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 5 rules
- AWS Console GetSigninToken Potential Abuse
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Refresh Token Reuse Detection
Elastic 39 rules
- AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
- AWS EC2 Instance Console Login via Assumed Role
- AWS First Occurrence of STS GetFederationToken Request by User
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
- AWS Sign-In Token Created
- AWS STS AssumeRole with New MFA Device
- AWS STS GetFederationToken with AdministratorAccess in Request
- AWS STS GetSessionToken Usage
- AWS STS Role Assumption by Service
- AWS STS Role Assumption by User
- AWS STS Role Chaining
- Direct Interactive Kubernetes API Request Detected via Defend for Containers
- Entra ID Actor Token User Impersonation Abuse
- Entra ID Concurrent Sign-in with Suspicious Properties
- Entra ID Kali365 Default User-Agent Detected
- Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
- Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource
- Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
- Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
- Entra ID OAuth Device Code Grant by Unusual User
- Entra ID OAuth Device Code Phishing via AiTM
- Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
- Entra ID OAuth Phishing via First-Party Microsoft Application
- Entra ID OAuth PRT Issuance to Non-Managed Device Detected
- Entra ID OAuth User Impersonation to Microsoft Graph
- Entra ID OAuth user_impersonation Scope for Unusual User and Client
- Entra ID Service Principal Federated Credential Authentication by Unusual Client
- Entra ID User Sign-in with Unusual Client
- First Occurrence GitHub Event for a Personal Access Token (PAT)
- First Occurrence of IP Address For GitHub Personal Access Token (PAT)
- First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
- First Time Seen Google Workspace OAuth Login from Third-Party Application
- Kubernetes API Server Proxying Request to Kubelet
- M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
- Microsoft Graph Request Email Access by Unusual User and Client
- Microsoft Graph Request User Impersonation by Unusual Client
- Potential Impersonation Attempt via Kubectl
- Service Account Token or Certificate Access Followed by Kubernetes API Request
- Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
Kusto 4 rules
- First access credential added to Application or Service Principal where no credential was present
- full_access_as_app Granted To Application
- New access credential added to Application or Service Principal
- NRT First access credential added to Application or Service Principal where no credential was present
YARA-L 2 rules
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage
- Hunt for Expired Tokens Attempting to sign-in to Entra ID