Forge Web Credentials

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.[1] Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., Temporary Elevated Cloud Access), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.[2][3]

Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.[4][5][6]

ID: T1606
Sub-techniques:  T1606.001, T1606.002
Platforms: Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Contributors: Dylan Silva, AWS Security
Version: 1.4
Created: 17 December 2020
Last Modified: 15 October 2023

Mitigations

ID Mitigation Description
M1047 Audit

Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.

Enable advanced auditing on ADFS. Check the success and failure audit options in the ADFS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.[7]

M1026 Privileged Account Management

Restrict permissions and access to the AD FS server to only originate from privileged access workstations.[7]

M1054 Software Configuration

Configure browsers/applications to regularly delete persistent web credentials (such as cookies).

M1018 User Account Management

Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.[6] In AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.[8]

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts and/or using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[9]. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the credentials.[6]

DS0006 Web Credential Web Credential Creation

Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[9] Additionally, detect on unusual API calls to generate access tokens, such as sts:GetFederationToken in AWS.[8]

Web Credential Usage

Monitor for the use of Access Tokens to access services such as Email that were created using SAML tokens which do not have corresponding 1202 events in the domain.[9]

References