Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0515: Detection Strategy for T1528 - Steal Application Access Token

DET0515 is a MITRE detection strategy object for ATT&CK technique T1528, Steal Application Access Token. Its business significance is that application toke...

EnterpriseDET0515Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0515 is a MITRE detection strategy object for ATT&CK technique T1528, Steal Application Access Token. Its business significance is that application tokens can function like portable credentials for cloud, SaaS, identity provider, container, and IaaS APIs. If defenders cannot account for token issuance, storage, use, and abnormal API access, an incident may look like legitimate application activity rather than credential theft.

Executive priority

Prioritize this as an identity and cloud control-validation topic, not just a SOC rule. Leaders should ask whether the organization can prove which applications and services hold access tokens, where token use is logged, how quickly suspicious token activity can be investigated, and what evidence would support audit or incident decisions. Because the official detection strategy has no provided detection text, local control and telemetry validation are essential before claiming coverage.

Technical view

Use the relationship to T1528 to scope validation around credential-access behavior involving application access tokens across the supported related platforms: Containers, IaaS, Identity Provider, and Office Suite. SOC and IR teams should verify that API authentication events, token issuance or refresh events where available, application consent or service principal activity, cloud control-plane access, container platform API activity, and SaaS audit logs can be correlated to users, services, applications, source locations, and resource access. Detection engineering should focus on anomalous token use and abuse patterns while accounting for legitimate automation and service-to-service traffic.

Likely telemetry

  • Identity provider audit logs for application, service principal, OAuth, consent, token, and sign-in activity where available
  • Cloud/IaaS control-plane API logs showing authenticated requests made by users, roles, services, or applications
  • Office suite or SaaS audit logs for application access and API-driven activity
  • Container platform audit logs for API access and service account or application-token usage
  • Endpoint or workload logs that may show token storage access, application configuration access, or unusual process access to credential material

Detection direction

  • Validate that monitoring covers the related T1528 scope: credential access involving application access tokens in Containers, IaaS, Identity Provider, and Office Suite environments.
  • Tune for abnormal token or application activity such as unusual source locations, new or rare applications, unexpected API access patterns, unusual service principal behavior, or activity inconsistent with normal automation baselines.
  • Correlate token-related events with application ownership, service accounts, privileged roles, workload identity, and recent administrative changes to reduce false positives.
  • Account for blind spots where token issuance, refresh, or API use is not logged, logs are retained too briefly, or SaaS and cloud audit sources are not centralized in the SIEM.
  • Because MITRE provides no official detection text for this object, treat any analytic as locally derived and require testing against known-good administrative and automation workflows.

Mitigation priorities

  • Inventory applications, service principals, workload identities, and service accounts that use access tokens for cloud, SaaS, identity provider, and container APIs.
  • Restrict token scope and privileges to least privilege, especially for high-impact APIs and administrative functions.
  • Review token lifetime, refresh behavior, storage practices, and rotation processes according to platform capabilities and organizational policy.
  • Centralize relevant identity, cloud, SaaS, and container audit logs and ensure retention supports incident response and compliance evidence needs.
  • Prepare IR procedures for suspected token theft, including token revocation, application credential rotation, affected resource review, and validation of follow-on API activity.
Analyst notes and limits

This take is based on the DET0515 detection strategy metadata and its relationship to ATT&CK T1528, Steal Application Access Token. The related technique is categorized under credential-access and lists Containers, IaaS, Identity Provider, and Office Suite as related platforms. The practical value is in validating whether token-centric identity and cloud activity is observable and actionable across those environments.

The supplied DET0515 object has no official description, no official detection guidance, no tactics, and no platforms specified directly on the detection-strategy object. The related T1528 description is partially truncated in the supplied data. Any environment-specific detection logic, severity, exposure, or exploitation claims require local telemetry and risk assessment.

Official MITRE ATT&CK definition

Detection Strategy for T1528 - Steal Application Access Token

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1528 Steal Application Access Token This object detects Steal Application Access Token.
Relationship explorer

All related ATT&CK context

detects · Technique T1528: Steal Application Access Token Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6c8bd79e1da65943...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6c8bd79e1da6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0515
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use