Suspicious Office Token Search Via CLI (6d3a3952-6530-44a3-8554-cf17c116c615)
Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Suspicious Office Token Search Via CLI (6d3a3952-6530-44a3-8554-cf17c116c615) | Sigma-Rules | Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) | Attack Pattern | 1 |