ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Stage 6 Token Tampering & Session Hijack
Understanding Token Tampering: The Currency of Modern Identity Attacks
What Happens in Stage 6
Stage 6 represents a critical pivot point where adversaries abandon traditional credential-based attacks and shift their focus to tokens — the true currency of identity in contemporary authentication systems. At this stage, attackers have evolved beyond password compromise and now target the cryptographic artifacts that prove identity across distributed environments.
This transition marks a fundamental change in attack methodology. Rather than impersonating users through stolen credentials, attackers begin impersonating the identity infrastructure itself. They manipulate session cookies, replay OAuth access tokens, hijack refresh tokens, forge SAML assertions, and inject malicious claims into bearer tokens.
Attack Techniques Employed
Sophisticated threat actors leverage multiple token manipulation vectors:
  • Session cookie theft and replay across browser contexts
  • OAuth access token extraction and cross-application reuse
  • Refresh token hijacking for persistent access
  • SAML token forging with modified claims
  • Bearer token manipulation in API requests
  • Token claim injection to elevate privileges
  • Browser synchronization token extraction
  • Machine identity token replay in automated systems
  • Token substitution in CI/CD and DevOps pipelines

Critical Insight: Token compromise equals identity compromise. Once an attacker controls valid tokens, they effectively become the identity provider, capable of issuing authentication decisions that bypass virtually all traditional security controls.
Passwords
Completely bypassed — tokens eliminate need for credential replay
Multi-Factor Authentication
Circumvented — valid tokens already carry MFA proof
Conditional Access
Evaded — tokens inherit original policy evaluation
Phishing-Resistant Auth
Defeated — tokens function regardless of initial authentication method
Device Trust
Subverted — tokens can be replayed from untrusted devices
Attacker Objectives & System Vulnerabilities
Strategic Objectives in Stage 6
Adversaries pursuing token tampering and session hijack attacks maintain clear tactical goals that transform compromised tokens into persistent access and privilege escalation opportunities. These objectives represent the culmination of early-stage reconnaissance and credential acquisition efforts.
1
Silent User Impersonation
Leverage stolen tokens to impersonate legitimate users without triggering authentication alerts or generating suspicious login patterns
2
Cross-Environment Token Replay
Reuse tokens across SaaS applications, cloud platforms, and on-premises systems to expand access footprint
3
SAML Token Forging
Craft malicious SAML assertions with elevated claims to gain administrative privileges across federated applications
4
Refresh Token Persistence
Exploit long-lived refresh tokens to maintain persistent access and mint new tokens as needed
5
Machine Identity Abuse
Hijack service account and automation tokens to obtain admin-level system access
6
Multi-Cloud Lateral Movement
Navigate between Azure, AWS, GCP, and hybrid environments using stolen federation tokens
Misconfigurations Enabling Stage 6
MC-018: Poor Browser Session Governance
Inadequate session timeout policies and unprotected browser sync mechanisms allow credential extraction from cached authentication artifacts
MC-037: Weak Token Signing
Insufficient certificate management enables SAML and OIDC token forgery attacks, as demonstrated in DarkHalo/SolarWinds campaigns
MC-131: Weak Claim Validation
Identity providers accepting modified or injected token claims without proper cryptographic verification
MC-147: Insufficient OAuth Governance
Malicious or compromised OAuth applications requesting excessive token scopes without adequate vetting
MC-138: Overprivileged API Identities
Long-lived machine tokens with excessive permissions enabling silent replay attacks across infrastructure
"Stage 6 marks the transition from 'compromised account' to stolen identity. Attackers stop being users and start being identity providers."
🛡️ Detection, Patterns & Threat Landscape
Detection Logic for Stage 6 Attacks
DL-024: Token Use from Unexpected Browser Sync
Identifies authentication tokens being reused across unrelated devices or browser profiles, indicating potential session hijacking
DL-032: Forged Token Claim Mismatch
Detects anomalous or inconsistent claims within tokens that suggest tampering or forgery attempts
DL-039: Federation Claim Manipulation
Identifies suspicious claims originating from external identity providers, including privilege escalation attempts
DL-056: Cross-Application Token Replay
Detects token reuse patterns across multiple SaaS applications or cloud environments
DL-068: Session Replay Behavioral Outlier
Identifies session reuse patterns that deviate from established user behavioral baselines
Identity Breach Patterns Leveraging Stage 6
BP-013
Browser Session Replay — Stolen browser cookies replayed across devices to hijack authenticated sessions
BP-022
Token Claim Manipulation — Modification of JWT or SAML claims to escalate privileges or extend validity
BP-018
SAML Forgery — Certificate abuse to craft malicious SAML assertions with arbitrary claims
BP-027
Refresh Token Theft — Long-lived refresh tokens extracted and used to mint new access tokens persistently
BP-015
Machine Identity Token Replay — Service account tokens replayed to gain administrative system access
Threat Actors Employing Stage 6 Techniques
1
ICTAM-006: DarkHalo
SAML token forging capabilities demonstrated in SolarWinds supply chain compromise, leveraging stolen certificate material
2
ICTAM-001: APT29 (Cozy Bear)
Advanced token-based impersonation techniques targeting cloud infrastructure and federated authentication systems
3
ICTAM-014: Clop Ransomware
Session hijacking methodology for lateral movement following initial access through file transfer vulnerabilities
4
ICTAM-012: Black Basta
Privileged session theft tactics enabling rapid escalation from user-level to domain administrator access
5
ICTAM-022: SaaS Impersonation Actor
Multi-application token replay campaigns targeting OAuth-enabled SaaS ecosystems for data exfiltration
6
ICTAM-023: Automation Identity Hijacker
Specialized in API token replay attacks against CI/CD pipelines and DevOps automation frameworks
🔄 Stage 6 in the Complete Attack Chain
Stage 5
Privilege Escalation
Stage 6
Token Abuse
Stage 7
Lateral Movement
Stage 8
Persistence
Token abuse enables attackers to escalate privileges without credential interaction, move laterally through identity federation boundaries, impersonate administrators across cloud platforms, bypass security controls including MFA and conditional access, and establish near-undetectable persistence mechanisms.
Stage 6 represents the most dangerous inflection point in modern identity breach scenarios, where traditional security controls lose effectiveness and defenders must rely on behavioral analytics and token-level monitoring to detect compromise.

Why Stage 6 Is Critical
Unlike password-based attacks that trigger authentication logs, token abuse operates within the trusted authentication boundary. Attackers leveraging stolen or forged tokens appear to security systems as legitimate, authenticated users — making detection extraordinarily challenging without specialized identity threat detection capabilities.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation