Potentially Suspicious JWT Token Search Via CLI

Oct 6, 2024 · attack.credential-access attack.t1528 ·

Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious JWT Token Search Via CLI
 2id: 6d3a3952-6530-44a3-8554-cf17c116c615
 3status: test
 4description: |
 5    Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
 6    This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.    
 7references:
 8    - https://mrd0x.com/stealing-tokens-from-office-applications/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-10-25
11modified: 2024-10-06
12tags:
13    - attack.credential-access
14    - attack.t1528
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains:
21            - 'eyJ0eXAiOi' # {"typ":
22            - 'eyJhbGciOi' # {"alg":
23            - ' eyJ0eX'
24            - ' "eyJ0eX"'
25            - " 'eyJ0eX'"
26            - ' eyJhbG'
27            - ' "eyJhbG"'
28            - " 'eyJhbG'"
29    condition: selection
30falsepositives:
31    - Unknown
32level: medium

References

Stealing Access Tokens From Office Desktop Applications | mr.d0x

Security Research | C:\Users\mr.d0x>

Read More

Potentially Suspicious JWT Token Search Via CLI

Sigma rule (View on GitHub)

References

Stealing Access Tokens From Office Desktop Applications | mr.d0x

Related rules