Info
ID: AT-EC002.002
Technique: Exploitation for Credential Access
Tactic: Expanding Control
Platforms: Linux, macOS, Windows, Web Application
Permissions Required: User, Administrator
Version: 1.0
Stealing Tokens
Authentication tokens represent a valuable target for attackers who have established initial access within an application's environment and seek to expand their control through credential access. During the Expanding Control phase, attackers specifically target memory, files, or storage locations to extract authentication tokens such as session cookies, OAuth tokens, JSON Web Tokens (JWTs), or API keys that grant access to protected resources or elevated privileges. Compared to password theft, token stealing is often preferred as it bypasses multi-factor authentication requirements and leaves minimal forensic evidence. Attackers commonly employ techniques such as memory scraping, injection attacks like XSS, examining client-side storage (localStorage/sessionStorage), intercepting network traffic, or exploiting token leakage in logs and caches. Once acquired, these tokens can be immediately leveraged to impersonate legitimate users, access restricted application features, make unauthorized API calls, or pivot to connected services - all while operating under the identity context of the compromised user and potentially bypassing standard detection mechanisms that focus on authentication anomalies.
Data Sources
- Process Monitoring: Token extraction from application memory and processes
- Web Application Logs: Authentication token usage and access patterns
- Memory Analysis: Token storage analysis in application memory
- Network Traffic: Token interception in network communications
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1041 | Encrypt Sensitive Information | Implement token encryption in memory and storage |
| M1027 | Password Policies | Implement secure token generation and rotation policies |
| M1026 | Privileged Account Management | Implement proper token scope and privilege limitations |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0002 | User Account Authentication | Alert when the same token is reused from distant geolocations or impossible-travel timeframes. |
| DS0029 | Network Traffic Content | Detect API calls bearing session cookies or JWTs that originate from processes other than the organisation’s approved client or browser. |
| DS0009 | Process: OS API Execution | Monitor calls to memory scraping of token storage regions. |