mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 06:04:56 +03:00
mukul975
52 lines
1.6 KiB
Markdown
52 lines
1.6 KiB
Markdown
# API Reference: Detecting OAuth Token Theft
|
|
|
|
## Microsoft Graph Sign-In Logs
|
|
```bash
|
|
# Query sign-in logs
|
|
curl -H "Authorization: Bearer $MS_TOKEN" \
|
|
"https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=createdDateTime ge 2025-01-01&\$top=100"
|
|
```
|
|
|
|
### Sign-In Event Fields
|
|
| Field | Description |
|
|
|-------|------------|
|
|
| userPrincipalName | User email/UPN |
|
|
| ipAddress | Source IP address |
|
|
| location.city | Geo city |
|
|
| location.geoCoordinates | Lat/lon |
|
|
| deviceDetail.deviceId | Device identifier |
|
|
| resourceDisplayName | Target resource |
|
|
| status.errorCode | 0 = success |
|
|
| riskState | none, confirmedCompromised, remediated |
|
|
|
|
## Okta System Log API
|
|
```bash
|
|
# Query events
|
|
curl -H "Authorization: SSWS $OKTA_TOKEN" \
|
|
"https://your-org.okta.com/api/v1/logs?filter=eventType eq \"user.session.start\"&since=2025-01-01"
|
|
```
|
|
|
|
## Detection Logic
|
|
| Detection | Method |
|
|
|-----------|--------|
|
|
| Impossible travel | Haversine distance / time > 900 km/h |
|
|
| Token replay | Same user, 3+ IPs within 5 min window |
|
|
| New device | Device ID not in known device inventory |
|
|
| Suspicious scopes | 2+ sensitive OAuth scopes requested |
|
|
|
|
## Sensitive OAuth Scopes (Microsoft)
|
|
| Scope | Risk |
|
|
|-------|------|
|
|
| Mail.ReadWrite | Email access |
|
|
| Mail.Send | Send-as capability |
|
|
| Files.ReadWrite.All | Full file access |
|
|
| Directory.ReadWrite.All | AD modification |
|
|
| Application.ReadWrite.All | App registration |
|
|
|
|
## MITRE ATT&CK Mapping
|
|
| Technique | Description |
|
|
|-----------|------------|
|
|
| T1528 | Steal Application Access Token |
|
|
| T1550.001 | Application Access Token reuse |
|
|
| T1078.004 | Cloud Accounts |
|