Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)
Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1606 | Forge Web Credentials |
AC-3 | Access Enforcement | Protects | T1606 | Forge Web Credentials |
AC-5 | Separation of Duties | Protects | T1606 | Forge Web Credentials |
AC-6 | Least Privilege | Protects | T1606 | Forge Web Credentials |
SC-17 | Public Key Infrastructure Certificates | Protects | T1606 | Forge Web Credentials |
SI-2 | Flaw Remediation | Protects | T1606 | Forge Web Credentials |
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1606.002 | SAML Tokens | 3 |
T1606.001 | Web Cookies | 4 |