Esc
Application Access Token - T1550.001
(ATT&CK® Technique)
Definition
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1550001["Application Access Token"] --> |may-produce| NetworkTraffic["Network Traffic"]; class T1550001 OffensiveTechniqueNode;
class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
click T1550001 href "/offensive-technique/attack/T1550.001/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1550001["Application Access Token"] --> |uses| AccessToken["Access Token"]; class T1550001 OffensiveTechniqueNode;
class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken";
click T1550001 href "/offensive-technique/attack/T1550.001/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; T1550001["Application Access Token"] --> |accesses| AuthenticationService["Authentication Service"]; class T1550001 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1550001 href "/offensive-technique/attack/T1550.001/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1550001["Application Access Token"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1550001["Application Access Token"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1550001["Application Access Token"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1550001["Application Access Token"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1550001["Application Access Token"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | NetworkTraffic["Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1550001["Application Access Token"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1550001["Application Access Token"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1550001["Application Access Token"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | AccessToken["Access Token"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1550001["Application Access Token"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1550001["Application Access Token"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | AccessToken["Access Token"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1550001["Application Access Token"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialRevocation["Credential Revocation"] -->
| deletes | AccessToken["Access Token"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1550001["Application Access Token"] ;
class CredentialRevocation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | AccessToken["Access Token"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1550001["Application Access Token"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1550001["Application Access Token"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; TokenBinding["Token Binding"] -->
| strengthens | AccessToken["Access Token"];
TokenBinding["Token Binding"] -.->
| may-harden | T1550001["Application Access Token"] ;
class TokenBinding DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; CredentialRotation["Credential Rotation"] -->
| regenerates | AccessToken["Access Token"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1550001["Application Access Token"] ;
class CredentialRotation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1550001["Application Access Token"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1550001["Application Access Token"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | AccessToken["Access Token"];
Token-basedAuthentication["Token-based Authentication"] -.->
| may-harden | T1550001["Application Access Token"] ;
class Token-basedAuthentication DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | AccessToken["Access Token"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1550001["Application Access Token"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1550001["Application Access Token"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1550001["Application Access Token"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1550001["Application Access Token"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | NetworkTraffic["Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1550001["Application Access Token"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ReissueCredential["Reissue Credential"] -->
| restores | AccessToken["Access Token"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1550001["Application Access Token"] ;
class ReissueCredential DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | AccessToken["Access Token"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1550001["Application Access Token"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1550001["Application Access Token"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; CredentialHardening["Credential Hardening"] -->
| hardens | AccessToken["Access Token"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1550001["Application Access Token"] ;
class CredentialHardening DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1550001["Application Access Token"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1550001["Application Access Token"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1550001["Application Access Token"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";