Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., Temporary Elevated Cloud Access), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)
Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1606 | Forge Web Credentials | |
| AC-03 | Access Enforcement | Protects | T1606 | Forge Web Credentials | |
| AC-05 | Separation of Duties | Protects | T1606 | Forge Web Credentials | |
| AC-06 | Least Privilege | Protects | T1606 | Forge Web Credentials | |
| SC-17 | Public Key Infrastructure Certificates | Protects | T1606 | Forge Web Credentials | |
| SI-02 | Flaw Remediation | Protects | T1606 | Forge Web Credentials | |
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1606 | Forge Web Credentials |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Forge Web Credential attacks due to Audit Solutions providing the visibility to allow administrators to perform an audit of all access lists and the permissions they have been granted to access web applications and services.
License Requirements:
Microsoft 365 E3 and E5
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1606 | Forge Web Credentials |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1606 | Forge Web Credentials |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1606 | Forge Web Credentials |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Forge Web Credentials attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity.
License Requirements:
Microsoft Defender XDR
References
|
| DO365-AG-E5 | App Governance | Technique Scores | T1606 | Forge Web Credentials |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Forge Web Credentials attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.
License Requirements:
Microsoft Defender for Cloud Apps
References
|
| DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1606 | Forge Web Credentials |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Forge Web Credential attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for anomalous authentication activity.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1606.002 | SAML Tokens | 5 |
| T1606.001 | Web Cookies | 4 |