Potentially Suspicious JWT Token Search Via CLI (6d3a3952-6530-44a3-8554-cf17c116c615)
Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) | Attack Pattern | Potentially Suspicious JWT Token Search Via CLI (6d3a3952-6530-44a3-8554-cf17c116c615) | Sigma-Rules | 1 |