M2M token replay AA24-057A
Engine-driven compliance rail for M2M token replay (workload identity exfil + reuse against cloud tenants) on the Financial Services protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.
step 01 / 06
step 01TF1observedATT&CK T1078.004
stage 1
Adversary targets a service / system account or dormant user account on the cloud tenant. AA24-057A: "Service accounts are often highly privileged… there is no human user behind them so they cannot be easily protected with MFA, making these accounts more susceptible to a successful compromise."
mitigating controls
ztna-gateway
in-scope provisions (6)
- partialID.AM-01 — Asset Management
- partialID.AM-02 — Asset Management
- partialID.AM-03 — Asset Management
- partialID.AM-04 — Asset Management
- partialID.AM-05 — Asset Management
- partialID.AM-07 — Asset Management
obligation
no regulatory clock for this step
- 01Initial Accessidentity-svcA service-principal secret leaks through a compromised CI run. The IdP accepts the token because it carries valid scopes and is still inside its (over-long) lifetime.
- 02Persistencecloud-infraThe actor authenticates to the cloud control plane as the service principal. AA24-057A documents long-dwell service-account abuse where the trust algorithm never re-decisions on freshness.
- 03Collectiondatabase-systemsThe service principal’s standing read on production databases is exercised. No east-west PEP demands a fresh principal claim, so query traffic flows.
- 04Exfiltrationcloud-storageBulk reads land in an attacker-controlled cloud bucket. Egress audit logs catch the volume only retrospectively — an Audit-Failure window the actor counted on.