An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions …</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
An adversary may utilize Private Keys to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from Steal Application Access Token and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to Use Alternate Authentication Material, which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1606.002 | SAML Tokens | |
| AC-02 | Account Management | mitigates | T1606.002 | SAML Tokens | |
| AC-03 | Access Enforcement | mitigates | T1606.002 | SAML Tokens | |
| AC-06 | Least Privilege | mitigates | T1606.002 | SAML Tokens |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Unknown | Unknown | related-to | T1606.002 | SAML Tokens |