Tag
medium
advisory
Entra ID OAuth Application Redirect URI Modified
2 rules 2 TTPsAdversaries are modifying OAuth application redirect URIs (ReplyUrls) in Microsoft Entra ID to intercept OAuth authorization codes and steal tokens, granting unauthorized access without new application registration or user consent.
Entra ID +1
cloud
identity
azure
persistence
credential-access
token-theft
microsoft-entra-id
2r
2t
high
advisory
Process Created with an Elevated Token via Token Theft
2 rules 1 TTPThis rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.
privilege-escalation
token-theft
windows
2r
1t
high
advisory
Cinny Access Token Disclosure via Malicious Emoji Pack
3 rules 1 TTPA remote authenticated attacker who shares a room with a victim can steal their Matrix access token by injecting a malicious emote pack, exploiting improper URL validation and service worker behavior in Cinny versions prior to 4.10.3.
cinny
credential-access
web-application
token-theft
3r
1t