Skip to content

Hide Navigation Hide TOC

Potentially Suspicious JWT Token Search Via CLI (6d3a3952-6530-44a3-8554-cf17c116c615)

Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.

Cluster A Galaxy A Cluster B Galaxy B Level
Potentially Suspicious JWT Token Search Via CLI (6d3a3952-6530-44a3-8554-cf17c116c615) Sigma-Rules Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Potentially Suspicious JWT Token Search Via CLI (6d3a3952-6530-44a3-8554-cf17c116c615) Sigma-Rules Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) Attack Pattern 1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2