Initial construction of new web credential material (ex: Windows EID 1200 or 4769)
Initial construction of new web credential material (ex: Windows EID 1200 or 4769)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1606 | Forge Web Credentials |
Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[3] Additionally, detect on unusual API calls to generate access tokens, such as |
|
| .002 | SAML Tokens |
Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[3] |
||
An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1606 | Forge Web Credentials |
Monitor for the use of Access Tokens to access services such as Email that were created using SAML tokens which do not have corresponding 1202 events in the domain.[3] |
|
| .001 | Web Cookies |
Monitor for the usage of unexpected or unusual cookies to access resources and services. Forged web cookies may be associated with unknown accounts and could be the result of compromised secrets such as passwords or Private Keys. |
||
| .002 | SAML Tokens |
Monitor for the use of access tokens to access services such as email that were created using SAML tokens which do not have corresponding 1202 events (i.e. "The Federation Service validated a new credential") in the domain.[3] |
||
| Enterprise | T1550 | Use Alternate Authentication Material |
Monitor for an attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
|
| .001 | Application Access Token |
Monitor the use of application access tokens to interact with resources or services that do not fit the organization baseline. For example, an application that is not meant to read emails accessing users’ mail boxes and potentially exfiltrating sensitive data, or a token associated with a cloud service account being used to make API calls from an IP address outside of the cloud environment.[5] In AWS environments, configure GuardDuty to alert when EC2 instance credentials are accessed from another AWS account or an external IP address.[6] |
||
| .004 | Web Session Cookie |
Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations. |
||