Initial construction of new web credential material (ex: Windows EID 1200 or 4769)
| Name | Channel |
|---|---|
| AWS:CloudTrail | AssumeRole, GetFederationToken API calls by unusual or new entities |
| azure:signinLogs | SAML/OIDC tokens issued without corresponding MFA or password validation |
| m365:oauth | OAuth grants or tokens issued without expected user consent |
| m365:unified | Session creation without MFA or login event |
| WinEventLog:ADFS | Token issuance events showing anomalous claims or issuers |
| ID | Name | Technique Detected |
|---|---|---|
| DET0148 | Detection Strategy for Forged SAML Tokens | T1606.002 |
| DET0260 | Detection Strategy for Forged Web Credentials | T1606 |