Esc
Steal Application Access Token - T1528

(ATT&CK® Technique)
Definition

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1528["Steal Application Access Token"] --> |accesses| AccessToken["Access Token"]; class T1528 OffensiveTechniqueNode;
        class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken";
        click T1528 href "/offensive-technique/attack/T1528/"; click AccessToken href "/dao/artifact/d3f:AccessToken";             CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | AccessToken["Access Token"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1528["Steal Application Access Token"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | AccessToken["Access Token"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1528["Steal Application Access Token"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
          | deletes | AccessToken["Access Token"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1528["Steal Application Access Token"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation";    DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | AccessToken["Access Token"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1528["Steal Application Access Token"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential";                                      ReissueCredential["Reissue Credential"] -->
          | restores | AccessToken["Access Token"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1528["Steal Application Access Token"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";                Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | AccessToken["Access Token"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1528["Steal Application Access Token"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] -->
          | uses | AccessToken["Access Token"];

          Token-basedAuthentication["Token-based Authentication"] -.->
            | may-harden | T1528["Steal Application Access Token"] ;
          class Token-basedAuthentication DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication";                           CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | AccessToken["Access Token"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1528["Steal Application Access Token"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialHardening["Credential Hardening"] -->
          | hardens | AccessToken["Access Token"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1528["Steal Application Access Token"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";                           CredentialRotation["Credential Rotation"] -->
          | regenerates | AccessToken["Access Token"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1528["Steal Application Access Token"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation";                        TokenBinding["Token Binding"] -->
          | strengthens | AccessToken["Access Token"];

          TokenBinding["Token Binding"] -.->
            | may-harden | T1528["Steal Application Access Token"] ;
          class TokenBinding DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click TokenBinding href "/technique/d3f:TokenBinding";
json