Home/ MITRE Matrix/ Lateral Movement/ T1550.001

T1550.001Application Access Token

T1550.001 — Application Access Token is a MITRE ATT&CK technique in the Lateral Movement tactic. Clankerusecase tracks 14 detection use cases covering it and 7 threat-intel articles citing it.

Lateral Movement

View on the matrix → Filter Detection Library MITRE official spec ↗

14Use cases

7Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1550 · Use Alternate Authentication Material

Use cases covering this technique (14)

AWS brute-force ConsoleLogin then AssumeRole Internal delivery · alerting DDCW GitHub PAT used from impossible-travel locations Internal delivery · alerting DD Google Workspace OAuth key making account changes Internal install · alerting DD [WEEKLY] Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internal actions · alerting DSPDD [WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Internal c2 · alerting DSPDD [WEEKLY] Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read Internal actions · alerting DSPDD [LLM] Admin / privileged API call without a preceding SUCCESSFUL login (JWT forgery indicator) Bespoke actions · hunting DSPDDCW [LLM] JWT token in HTTP Authorization header verifying against secret 'random' Bespoke actions · alerting DSPDDCW [LLM] phpBB OAuth account-binding CSRF — anomalous traffic to pre-3.3.17 OAuth callback path Bespoke exploit · hunting SΣP [LLM] nebula-mesh CVE-2026-47724 — cross-tenant host identity hijack via /hosts/{id}/reenroll → /enroll chain Bespoke install · alerting SPDD [LLM] UTA0355 device-code phishing: deviceCode auth flow with cross-IP token redemption Bespoke delivery · alerting DSPDD [LLM] ROADtools roadtx FOCI client-ID swap: refresh-token resource hop across MS Office FOCI app IDs Bespoke c2 · hunting DSPDD [LLM] AssumeRoleWithWebIdentity from GitHub OIDC with unexpected repo/branch sub claim Bespoke exploit · hunting PDD [LLM] First-time OAuth consent granting Drive/Mail read scope to non-sanctioned third-party app Bespoke delivery · hunting DSΣPDDCS

Articles citing this technique (7)

crit [GHSA / CRITICAL] CVE-2026-48031: Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery art-64

high 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums art-69

crit [GHSA / CRITICAL] CVE-2026-47724: nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation art-96

crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218

crit [GHSA / CRITICAL] GHSA-q2f7-m237-v562: @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators art-226

crit Webworm: New burrowing techniques art-240

high It's time to treat browser extensions like supply chain attack vectors art-354