Web Credential

Credential material, such as session cookies or tokens, used to authenticate to web applications and services[1][2]

ID: DS0006
Platforms: Azure AD, Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Web Credential: Web Credential Creation

Initial construction of new web credential material (ex: Windows EID 1200 or 4769)

Web Credential: Web Credential Creation

Initial construction of new web credential material (ex: Windows EID 1200 or 4769)

Domain ID Name Detects
Enterprise T1606 Forge Web Credentials

Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[3] Additionally, detect on unusual API calls to generate access tokens, such as sts:GetFederationToken in AWS.[4]

.002 SAML Tokens

Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[3]

Web Credential: Web Credential Usage

An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)

Web Credential: Web Credential Usage

An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)

Domain ID Name Detects
Enterprise T1606 Forge Web Credentials

Monitor for the use of Access Tokens to access services such as Email that were created using SAML tokens which do not have corresponding 1202 events in the domain.[3]

.001 Web Cookies

Monitor for the usage of unexpected or unusual cookies to access resources and services. Forged web cookies may be associated with unknown accounts and could be the result of compromised secrets such as passwords or Private Keys.

.002 SAML Tokens

Monitor for the use of access tokens to access services such as email that were created using SAML tokens which do not have corresponding 1202 events (i.e. "The Federation Service validated a new credential") in the domain.[3]

Enterprise T1550 Use Alternate Authentication Material

Monitor for an attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

.001 Application Access Token

Monitor the use of application access tokens to interact with resources or services that do not fit the organization baseline. For example, an application that is not meant to read emails accessing users’ mail boxes and potentially exfiltrating sensitive data, or a token associated with a cloud service account being used to make API calls from an IP address outside of the cloud environment.[5]

.004 Web Session Cookie

Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.

References