ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1527

术语表: /attack/glossary

应用程序访问令牌

攻击者可以使用应用程序访问令牌绕过典型的身份验证过程,并访问远程系统上的受限帐户,信息或服务。这些令牌通常是从用户那里窃取的,并用来代替登录凭据。

应用程序访问令牌用于代表用户发出授权的API请求,并且通常用作在基于云的应用程序和软件即服务(SaaS)中访问资源的方式。OAuth是一种普遍实施的框架,向用户发布令牌以访问系统。这些框架可共同用于验证用户并确定允许用户执行的操作。一旦建立了身份,令牌就可以授权操作,而无需传递用户的实际凭据。因此,令牌的泄露可以通过恶意应用程序使对手获得对其他站点资源的访问权限。

例如,对于基于云的电子邮件服务,一旦将OAuth访问令牌授予了恶意应用程序,如果授予了启用后台访问的“刷新”令牌,则它有可能获得对用户帐户功能的长期访问。借助OAuth访问令牌,对手可以使用用户授予的REST API来执行诸如电子邮件搜索和联系人枚举之类的功能

受损的访问令牌可以用作危害其他服务的初始步骤。例如,如果令牌授予对受害者的主电子邮件的访问权限,则对手可能会通过触发被忘记的密码例程,将访问权限扩展到目标用户订阅的所有其他服务。通过令牌进行的直接API访问会否定第二个身份验证因素的有效性,并且可能不受诸如更改密码之类的直观对策的影响。由于访问仍然可以与合法的工作流程保持一致,因此即使从服务提供商端,也很难检测到通过API通道进行的访问滥用。

Application Access Token

Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS). OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.

For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.

Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

标签

ID编号: T1527

策略: 防御绕过,横向移动

平台: SaaS,Office 365

所需权限: user

数据源: OAuth审核日志,Office 365帐户日志

绕过防御: 多因素身份验证,登录凭据

程序示例

名称 描述
APT28(G0007) APT28(G0007)使用了多个恶意应用程序,这些应用程序滥用OAuth访问令牌来访问目标电子邮件帐户,包括Gmail和Yahoo Mail。
Name Description
APT28 (G0007) APT28 (G0007) has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.

缓解措施

减轻 描述
审计(M1047) 管理员可以设置各种日志,并利用审核工具来监视由于OAuth 2.0访问而可以执行的操作。例如,审核报告使管理员能够识别特权升级操作,例如角色创建或策略修改,这可以是在初次访问后执行的操作。
加密敏感信息M1041) 文件加密应该在包含敏感信息的电子邮件通信中强制实施,这些信息可以通过访问电子邮件服务获得。
限制基于Web的内容(M1021) 更新公司政策,以限制将哪些类型的第三方应用程序添加到与公司的信息,帐户或网络链接的任何在线服务或工具(例如:Google,Microsoft,Dropbox,Basecamp,GitHub)。但是,与其提供高级指导,不如说是非常具体的-包括预先批准的应用程序列表,并拒绝列表中未列出的所有其他应用程序。管理员还可以通过诸如Azure门户之类的管理门户阻止最终用户同意,从而禁止用户通过OAuth授权第三方应用并强制执行管理同意。
Mitigation Description
Audit (M1047) Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.
Encrypt Sensitive Information(M1041) File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
Restrict Web-Based Content (M1021) Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company's information, accounts or network (example: Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of pre-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.

检测

监视访问令牌活动,以了解异常使用情况以及授予异常或可疑应用程序的权限。管理员可以设置各种日志,并利用审核工具来监视由于OAuth 2.0访问而可以执行的操作。例如,审核报告使管理员能够识别特权升级操作,例如角色创建或策略修改,这可以是在初次访问后执行的操作。

Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications. Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.