AN1425: Analytic 1425
Unusual OAuth app registration followed by user-granted OAuth tokens and subsequent high-privilege resource access via those tokens.
Analyst context for executives and security teams
This analytic is about spotting a risky identity-provider pattern: an unusual OAuth application registration, followed by users granting OAuth tokens, followed by high-privilege resource access using those tokens. For leaders, the value is not just detecting a single event, but validating whether the organization can connect app-registration activity, consent events, token issuance, and privileged resource access into one identity-risk story.
Executive priority
Prioritize this as an identity and cloud access governance issue. OAuth app consent can create durable access paths that may bypass traditional endpoint-centric monitoring. Executives should ask whether security teams can prove who registered OAuth apps, who granted consent, what privileges were granted, and whether token-based access reached sensitive or high-privilege resources. This also supports audit and compliance evidence around application governance, privileged access oversight, and identity-provider monitoring.
Technical view
SOC and detection teams should validate correlation coverage across the Identity Provider platform: unusual OAuth app registration, user-granted OAuth token activity, and subsequent access to high-privilege resources using those tokens. Because ATT&CK provides no official detection logic for AN1425, teams should define local baselines for normal app registration and consent behavior, then tune for unusual sequencing, privilege level, resource sensitivity, and user/app context. Incident responders should be prepared to review app registration metadata, consent grants, token activity, affected users, and accessed resources.
Likely telemetry
- Identity provider audit logs for OAuth application registration
- OAuth consent or user-grant events
- Token issuance and token usage records where available
- Application/service principal metadata and ownership details
- Privileged or sensitive resource access logs tied to OAuth tokens
Detection direction
- Correlate OAuth app registration with subsequent user-granted token activity and high-privilege resource access rather than alerting on isolated events only.
- Baseline expected app registrations and consent patterns by business unit, user role, application owner, and resource sensitivity.
- Prioritize events involving newly registered or rarely seen applications, unexpected consent grants, and access to privileged resources.
- Tune false positives for legitimate application onboarding, sanctioned SaaS integrations, and approved administrative testing.
- Check for blind spots where identity-provider logs do not retain token usage detail, resource-access context, consent records, or app ownership metadata.
Mitigation priorities
- Establish governance for OAuth app registration, ownership, review, and approval.
- Restrict or review user consent to OAuth applications based on risk and business need.
- Require periodic review of app permissions, consent grants, and access to high-privilege resources.
- Ensure identity-provider audit, consent, token, and resource-access logs are retained and available to SOC and IR teams.
- Define an incident response playbook for suspicious OAuth apps, including consent review, token revocation, app disablement, and affected-user assessment.
Analyst notes and limits
AN1425 is a detection analytic object in ATT&CK Enterprise release 19.1 for the Identity Provider platform. Its description gives a useful correlation pattern, but ATT&CK does not provide detection logic, tactics, aliases, labels, or relationship context for this object. The practical value is in validating whether identity telemetry can join OAuth app lifecycle events to consent and privileged resource access.
This take is limited to the supplied ATT&CK STIX fields, external reference, and absence of relationships. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection. Local identity-provider logging, retention, consent policy, and resource-access visibility will determine whether this analytic is actionable.
Analytic 1425
Unusual OAuth app registration followed by user-granted OAuth tokens and subsequent high-privilege resource access via those tokens.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6e41201b1757… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1425Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.