Defenders may detect adversaries forging web credentials in IaaS environments by monitoring for anomalous API activity such as AssumeRole or GetFederationToken being executed by unusual principals. These events often correlate with sudden logon sessions from unfamiliar IP addresses or regions. The chain is usually secret material misuse (stolen private key or password) → API request generating a new token → access to high-value resources.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Creation (DC0006) | AWS:CloudTrail | AssumeRole, GetFederationToken API calls by unusual or new entities |
| Logon Session Creation (DC0067) | AWS:CloudTrail | Temporary security credentials used to authenticate into management console or APIs |
| Field | Description |
|---|---|
| AuthorizedRoleMappings | Define expected users and roles allowed to use AssumeRole or federation APIs. |
| GeoVelocityThreshold | Alert if the same user authenticates from geographically disparate locations within a short time. |
Forged web credentials may manifest as anomalous SAML token issuance, OpenID Connect token minting, or Zimbra pre-auth key usage. Defenders may see tokens issued without normal authentication events, multiple valid tokens generated simultaneously, or signing anomalies in IdP logs.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Creation (DC0006) | azure:signinLogs | SAML/OIDC tokens issued without corresponding MFA or password validation |
| Web Credential Usage (DC0007) | NSM:Connections | Pre-authentication keys generated or token signing anomalies |
| Field | Description |
|---|---|
| TokenLifetimeThreshold | Limit the maximum time temporary tokens are valid. |
| ExpectedAuthFlows | Define normal authentication flows (e.g., password+MFA) to baseline token issuance. |
Forged web credentials on Windows endpoints may be detected by anomalous browser cookie files, local token cache manipulations, or tools injecting tokens into sessions. Defenders may observe processes accessing LSASS or browser credential stores unexpectedly, followed by unusual logon sessions.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Field | Description |
|---|---|
| ProcessWhitelist | Define expected processes that access LSASS or browser credential files. |
On Linux systems, forged credentials may be injected into browser session files, curl/wget headers, or token caches in memory. Detection can leverage auditd to track processes accessing sensitive files (~/.mozilla, ~/.config/chromium, ~/.aws/credentials) and correlate with suspicious outbound connections.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | Processes reading credential or token cache files |
| Network Traffic Content (DC0085) | WinEventLog:Sysmon | Outbound requests with forged tokens/cookies in headers |
| Field | Description |
|---|---|
| CredentialFilePaths | Define which credential and session files should trigger monitoring. |
Forged credentials on macOS may be visible through Unified Logs showing abnormal access to Keychain or browser session files. Correlated with anomalous web session usage from Safari or Chrome processes outside typical user context.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | macos:unifiedlog | Access to Keychain items or browser credential stores |
| Web Credential Usage (DC0007) | macos:unifiedlog | Web sessions initiated with newly forged tokens |
| Field | Description |
|---|---|
| AuthorizedKeychainApps | List applications that normally request Keychain credentials. |
SaaS platforms may show forged credentials as unusual API keys, tokens, or session cookies being used without corresponding authentication. Correlated patterns include simultaneous valid sessions from multiple geographies, unusual API calls with new tokens, or bypass of expected MFA enforcement.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Creation (DC0006) | m365:unified | Session creation without MFA or login event |
| Web Credential Usage (DC0007) | saas:auth | API requests made with tokens not associated with expected user logins |
| Field | Description |
|---|---|
| GeoLocationAlerts | Trigger on logins from unusual or high-risk geographies. |
| TokenReplayThreshold | Detect multiple simultaneous uses of the same forged credential. |
Forged web credentials in Office Suite contexts may appear as abnormal authentication headers in Outlook or Teams traffic, or unexplained OAuth grants in M365/Azure logs. Defenders should correlate token usage events with missing authentication flows and mismatched device/user context.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Creation (DC0006) | m365:oauth | OAuth grants or tokens issued without expected user consent |
| Logon Session Creation (DC0067) | m365:signin | Token usage events with device/user mismatch |
| Field | Description |
|---|---|
| OAuthAppAllowlist | Approved OAuth apps and flows; flag unapproved or unexpected token grants. |