<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Api_token - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/api_token/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/api_token/feed.xml" rel="self" type="application/rss+xml"/><item><title>Okta API Token Creation Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-okta-api-token-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-okta-api-token-creation/</guid><description>Detection of new Okta API token creation, potentially indicating account compromise or unauthorized access leading to persistence and administrative control.</description><content:encoded><![CDATA[<p>The creation of new API tokens within an Okta tenant is a critical event to monitor, as it can signal account takeover or malicious insider activity. This activity is detected using OktaIm2 logs ingested through the Splunk Add-on for Okta Identity Cloud. The creation of an API token allows an attacker to bypass normal authentication controls, enabling them to perform administrative actions and access sensitive data. The <code>system.api_token.create</code> command is the key indicator in the Okta logs. Defenders should closely monitor these events, as threat actors can leverage these tokens for persistence, data exfiltration, and further malicious activities within the Okta environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an Okta user account, potentially through credential stuffing, phishing, or malware.</li>
<li>The attacker authenticates to the Okta environment using the compromised credentials.</li>
<li>The attacker navigates to the Okta admin console (or uses the Okta API via command line tools).</li>
<li>The attacker executes the <code>system.api_token.create</code> command to generate a new API token. This action is logged in the OktaIm2 logs.</li>
<li>The attacker uses the newly created API token to authenticate directly to the Okta API, bypassing standard MFA or login requirements.</li>
<li>The attacker leverages the API token to enumerate users, groups, and applications within the Okta tenant.</li>
<li>The attacker modifies user permissions, adds new applications, or performs other administrative actions.</li>
<li>The attacker maintains persistence within the Okta environment through continued use of the API token.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful Okta API token creation attack can lead to complete compromise of the Okta tenant. This may result in unauthorized access to sensitive applications and data, modification of user permissions, and deployment of malicious applications within the organization's ecosystem. The impact includes data breaches, service disruption, and reputational damage. The risk is heightened if the compromised Okta tenant is used for Single Sign-On (SSO) across multiple applications, as the attacker can gain access to all integrated systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Okta New API Token Created</code> to detect unauthorized API token creation attempts in your Okta environment.</li>
<li>Enable the Splunk Add-on for Okta Identity Cloud (<a href="https://splunkbase.splunk.com/app/6553">https://splunkbase.splunk.com/app/6553</a>) to collect OktaIm2 logs.</li>
<li>Review Okta logs for unusual <code>system.api_token.create</code> events originating from unfamiliar IP addresses or user agents.</li>
<li>Implement strict access controls and Multi-Factor Authentication (MFA) for all Okta administrator accounts to prevent account compromise.</li>
<li>Monitor for unusual API activity after the creation of new tokens.</li>
<li>Investigate any alerts generated by the <code>Okta New API Token Created</code> rule and validate the legitimacy of the token creation event.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>okta</category><category>api_token</category><category>account_takeover</category><category>persistence</category></item></channel></rss>