Home
ATT&CK Techniques
T1606 Forge Web Credentials

T1606 Forge Web Credentials

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials (i.e., Temporary Elevated Cloud Access), or the zmprov gdpak command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)

Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.IR-01.05	Remote access protection	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. References
PR.PS-01.01	Configuration baselines	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. References
PR.PS-01.02	Least functionality	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. References
PR.AA-05.02	Privileged system access	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement protects against Forge Web Credentials through the use of privileged account management and the use of multi-factor authentication. References
DE.CM-06.02	Third-party access monitoring	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement protects against Forge Web Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. References
PR.PS-01.03	Configuration deviation	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement provides protection from Forge Web Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. References
DE.CM-03.03	Privileged account monitoring	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. References
PR.IR-01.06	Production environment segregation	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. References
PR.AA-01.01	Identity and credential management	Mitigates	T1606	Forge Web Credentials	Comments This diagnostic statement protects against Forge Web Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
IA-13	Identity Providers and Authorization Servers	mitigates	T1606	Forge Web Credentials
SC-17	Public Key Infrastructure Certificates	mitigates	T1606	Forge Web Credentials
SI-02	Flaw Remediation	mitigates	T1606	Forge Web Credentials
AC-02	Account Management	mitigates	T1606	Forge Web Credentials
AC-03	Access Enforcement	mitigates	T1606	Forge Web Credentials
AC-05	Separation of Duties	mitigates	T1606	Forge Web Credentials
AC-06	Least Privilege	mitigates	T1606	Forge Web Credentials

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Session prediction	Credential or session prediction. Child of 'Exploit vuln'.	related-to	T1606	Forge Web Credentials
action.hacking.variety.Unknown	Unknown	related-to	T1606	Forge Web Credentials

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1606.002	SAML Tokens	11
T1606.001	Web Cookies	10