Detection rules › Sigma
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1528 Steal Application Access Token, T1552.001 Unsecured Credentials: Credentials In Files |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: all of selection_tools
or:
CommandLine|contains: 'find '
CommandLine|contains: find.exe
CommandLine|contains: findstr
CommandLine|contains: 'select-string '
CommandLine|contains: strings
Stage 2: all of selection_jwt_string
or:
CommandLine|contains: ' ''eyJ0eX'''
CommandLine|contains: ' ''eyJhbG'''
CommandLine|contains: ' "eyJ0eX"'
CommandLine|contains: ' "eyJhbG"'
CommandLine|contains: ' eyJ0eX'
CommandLine|contains: ' eyJhbG'
CommandLine|contains: eyJ0eXAiOi
CommandLine|contains: eyJhbGciOi
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|