Potentially Suspicious JWT Token Search Via CLI

calendar Oct 21, 2025 · attack.credential-access attack.t1528 attack.t1552.001  ·
Share on: linkedin copy

Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious JWT Token Search Via CLI
 2id: 6d3a3952-6530-44a3-8554-cf17c116c615
 3status: test
 4description: |
 5    Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
 6    JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
 7    Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.    
 8references:
 9    - https://mrd0x.com/stealing-tokens-from-office-applications/
10    - https://www.scip.ch/en/?labs.20240523
11author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
12date: 2022-10-25
13modified: 2025-10-21
14tags:
15    - attack.credential-access
16    - attack.t1528
17    - attack.t1552.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_tools:
23        CommandLine|contains:
24            - 'find '
25            - 'find.exe'
26            - 'findstr'
27            - 'select-string '
28            - 'strings'
29    selection_jwt_string:
30        CommandLine|contains:
31            - 'eyJ0eXAiOi' # {"typ":
32            - 'eyJhbGciOi' # {"alg":
33            - ' eyJ0eX'
34            - ' "eyJ0eX"'
35            - " 'eyJ0eX'"
36            - ' eyJhbG'
37            - ' "eyJhbG"'
38            - " 'eyJhbG'"
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: medium

References

  • Dumping tokens from Microsoft Office desktop applications’ memory Update: This only works against Microsoft 365 which is generally what organizations use. It will not work on Microsoft Office Profe...


    Read More

  • Why it is important to protect Microsoft cloud access tokens

    Access tokens are used for authentication. They're generated and issued by the Microsoft Identity Platform. Access Tokens are security tokens encoded in the JSON Web Tokens (JWTs) format. They can be extracted from multiple sources.


    Read More

Related rules

to-top