T1606 Forge Web Credentials Mappings

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., Temporary Elevated Cloud Access), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)

Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1606 Forge Web Credentials
AC-03 Access Enforcement Protects T1606 Forge Web Credentials
AC-05 Separation of Duties Protects T1606 Forge Web Credentials
AC-06 Least Privilege Protects T1606 Forge Web Credentials
SC-17 Public Key Infrastructure Certificates Protects T1606 Forge Web Credentials
SI-02 Flaw Remediation Protects T1606 Forge Web Credentials
PUR-AS-E5 Audit Solutions Technique Scores T1606 Forge Web Credentials
DEF-SecScore-E3 Secure Score Technique Scores T1606 Forge Web Credentials
DEF-SECA-E3 Security Alerts Technique Scores T1606 Forge Web Credentials
DEF-IR-E5 Incident Response Technique Scores T1606 Forge Web Credentials
DO365-AG-E5 App Governance Technique Scores T1606 Forge Web Credentials
DO365-ATH-E5 Advanced Threat Hunting Technique Scores T1606 Forge Web Credentials

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1606.002 SAML Tokens 5
T1606.001 Web Cookies 4