Preparation
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Network Scanning
On-Screen Data Collection
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR030
- Created: 15th August 2025
- Updated: 17th August 2025
- Contributor: Husein Patel
Authorization Token Staging
The subject pre-authorizes access to internal or third-party services using OAuth or other token-based mechanisms, creating persistent or stealth access pathways for future use. This staging behavior allows access to be decoupled from standard authentication workflows, enabling the subject to retrieve, manipulate, or exfiltrate data without using core credentials or triggering routine identity-based alerts.
Token staging is particularly relevant in cloud and hybrid environments where delegated access via OAuth, SAML, or API keys is commonly used. When authorization tokens grant broad scopes (e.g., full mailbox or document access), they can effectively serve as alternate credentials — often surviving role changes, session terminations, or identity deactivations.
From an investigative standpoint, this behavior constitutes an intentional act of access persistence setup. It may indicate foresight, circumvention of governance controls, or preparation for covert activity. Detection typically requires correlating authorization logs with subject role, timing, and expected access boundaries - especially where third-party application use diverges from organizational norms.