Valid Tokens
Within the "Gain Access" phase of an attack, adversaries may leverage "Valid Tokens" as a sub-technique of "Valid Accounts" to bypass traditional authentication mechanisms and maintain unauthorized access. This sub-technique involves the theft or forging of authentication tokens - such as OAuth tokens, JSON Web Tokens (JWTs), or Kerberos tickets - which represent previously authenticated sessions or delegated permissions. Once obtained through methods like token extraction from memory, man-in-the-middle attacks, or exploitation of token validation vulnerabilities, adversaries can replay these tokens to impersonate legitimate users without needing their credentials. This approach is particularly effective against modern web applications and single sign-on (SSO) ecosystems where token-based authentication is prevalent. Unlike password-based attacks, token abuse may evade multi-factor authentication and typical credential monitoring, as the adversary is using a valid session token rather than attempting to authenticate directly. Organizations must implement proper token validation, appropriate expiration policies, and runtime monitoring to detect anomalous token usage patterns to mitigate this threat.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Adopt short-lived OAuth/JWT tokens with audience binding; implement refresh-token rotation and revocation lists. |
| M1032 | Multi-Factor Authentication | Couple token issuance to MFA so stolen tokens alone cannot renew sessions. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0002 | User Account Authentication | Detect tokens presented from new IP/device combos or outside expected geos; validate token binding claims. |
| DS0015 | Application Log | Monitor for replay of the same bearer token across multiple client IPs within its lifetime. |