{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/api_token/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Okta Identity Cloud"],"_cs_severities":["high"],"_cs_tags":["okta","api_token","account_takeover","persistence"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThe creation of new API tokens within an Okta tenant is a critical event to monitor, as it can signal account takeover or malicious insider activity. This activity is detected using OktaIm2 logs ingested through the Splunk Add-on for Okta Identity Cloud. The creation of an API token allows an attacker to bypass normal authentication controls, enabling them to perform administrative actions and access sensitive data. The \u003ccode\u003esystem.api_token.create\u003c/code\u003e command is the key indicator in the Okta logs. Defenders should closely monitor these events, as threat actors can leverage these tokens for persistence, data exfiltration, and further malicious activities within the Okta environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Okta user account, potentially through credential stuffing, phishing, or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta environment using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Okta admin console (or uses the Okta API via command line tools).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003esystem.api_token.create\u003c/code\u003e command to generate a new API token. This action is logged in the OktaIm2 logs.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created API token to authenticate directly to the Okta API, bypassing standard MFA or login requirements.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the API token to enumerate users, groups, and applications within the Okta tenant.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies user permissions, adds new applications, or performs other administrative actions.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence within the Okta environment through continued use of the API token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Okta API token creation attack can lead to complete compromise of the Okta tenant. This may result in unauthorized access to sensitive applications and data, modification of user permissions, and deployment of malicious applications within the organization's ecosystem. The impact includes data breaches, service disruption, and reputational damage. The risk is heightened if the compromised Okta tenant is used for Single Sign-On (SSO) across multiple applications, as the attacker can gain access to all integrated systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOkta New API Token Created\u003c/code\u003e to detect unauthorized API token creation attempts in your Okta environment.\u003c/li\u003e\n\u003cli\u003eEnable the Splunk Add-on for Okta Identity Cloud (\u003ca href=\"https://splunkbase.splunk.com/app/6553\"\u003ehttps://splunkbase.splunk.com/app/6553\u003c/a\u003e) to collect OktaIm2 logs.\u003c/li\u003e\n\u003cli\u003eReview Okta logs for unusual \u003ccode\u003esystem.api_token.create\u003c/code\u003e events originating from unfamiliar IP addresses or user agents.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and Multi-Factor Authentication (MFA) for all Okta administrator accounts to prevent account compromise.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual API activity after the creation of new tokens.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eOkta New API Token Created\u003c/code\u003e rule and validate the legitimacy of the token creation event.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-okta-api-token-creation/","summary":"Detection of new Okta API token creation, potentially indicating account compromise or unauthorized access leading to persistence and administrative control.","title":"Okta API Token Creation Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-okta-api-token-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Api_token","version":"https://jsonfeed.org/version/1.1"}