← Back to SOC feed Coverage →

Potentially Suspicious JWT Token Search Via CLI

sigma MEDIUM SigmaHQ
T1528T1552.001
imProcessCreate
lateral-movement
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects potentially suspicious search for JWT tokens via CLI by looking for the string “eyJ0eX” or “eyJhbG”. JWT tokens are often used for access-tokens across various applications and services like M

Detection Rule

Sigma (Original)

title: Potentially Suspicious JWT Token Search Via CLI
id: 6d3a3952-6530-44a3-8554-cf17c116c615
status: test
description: |
    Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
    JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
    Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
references:
    - https://mrd0x.com/stealing-tokens-from-office-applications/
    - https://www.scip.ch/en/?labs.20240523
author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
date: 2022-10-25
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1528
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        CommandLine|contains:
            - 'find '
            - 'find.exe'
            - 'findstr'
            - 'select-string '
            - 'strings'
    selection_jwt_string:
        CommandLine|contains:
            - 'eyJ0eXAiOi' # {"typ":
            - 'eyJhbGciOi' # {"alg":
            - ' eyJ0eX'
            - ' "eyJ0eX"'
            - " 'eyJ0eX'"
            - ' eyJhbG'
            - ' "eyJhbG"'
            - " 'eyJhbG'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "find " or TargetProcessCommandLine contains "find.exe" or TargetProcessCommandLine contains "findstr" or TargetProcessCommandLine contains "select-string " or TargetProcessCommandLine contains "strings") and (TargetProcessCommandLine contains "eyJ0eXAiOi" or TargetProcessCommandLine contains "eyJhbGciOi" or TargetProcessCommandLine contains " eyJ0eX" or TargetProcessCommandLine contains " \"eyJ0eX\"" or TargetProcessCommandLine contains " 'eyJ0eX'" or TargetProcessCommandLine contains " eyJhbG" or TargetProcessCommandLine contains " \"eyJhbG\"" or TargetProcessCommandLine contains " 'eyJhbG'")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml