Valid Tokens

Within the "Gain Access" phase of an attack, adversaries may leverage "Valid Tokens" as a sub-technique of "Valid Accounts" to bypass traditional authentication mechanisms and maintain unauthorized access. This sub-technique involves the theft or forging of authentication tokens—such as OAuth tokens, JSON Web Tokens (JWTs), or Kerberos tickets—which represent previously authenticated sessions or delegated permissions. Once obtained through methods like token extraction from memory, man-in-the-middle attacks, or exploitation of token validation vulnerabilities, adversaries can replay these tokens to impersonate legitimate users without needing their credentials. This approach is particularly effective against modern web applications and single sign-on (SSO) ecosystems where token-based authentication is prevalent. Unlike password-based attacks, token abuse may evade multi-factor authentication and typical credential monitoring, as the adversary is using a valid session token rather than attempting to authenticate directly. Organizations must implement proper token validation, appropriate expiration policies, and runtime monitoring to detect anomalous token usage patterns to mitigate this threat.