An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions …</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
An adversary may utilize Private Keys to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from Steal Application Access Token and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
An adversary may gain administrative Entra ID privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to Use Alternate Authentication Material, which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1606.002 | SAML Tokens | |
| AC-02 | Account Management | mitigates | T1606.002 | SAML Tokens | |
| AC-03 | Access Enforcement | mitigates | T1606.002 | SAML Tokens | |
| AC-06 | Least Privilege | mitigates | T1606.002 | SAML Tokens |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Unknown | Unknown | related-to | T1606.002 | SAML Tokens |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EID-IDPR-E5 | ID Protection | Technique Scores | T1606.002 | SAML Tokens |
Comments
This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity. Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial.
References
|
| EID-IDPR-E5 | ID Protection | Technique Scores | T1606.002 | SAML Tokens |
Comments
Response Type: Eradication
Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.
References
|
| EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1606.002 | SAML Tokens |
Comments
This control's "Turn on sign-in risk policy" and "Turn on user risk policy" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens. This is a recommendation and therefore the score is capped at Partial.
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1606.002 | SAML Tokens |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to SAML Token attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity.
License Requirements:
Microsoft Defender XDR
References
|
| DEF-APGV-E5 | App Governance | Technique Scores | T1606.002 | SAML Tokens |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects SAML Token attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.
License Requirements:
Microsoft Defender for Cloud Apps
References
|