DC0006 Web Credential Creation
| Item | Value |
|---|---|
| ID | DC0006 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| AWS:CloudTrail | AssumeRole, GetFederationToken API calls by unusual or new entities |
| azure:signinlogs | SAML/OIDC tokens issued without corresponding MFA or password validation |
| m365:oauth | OAuth grants or tokens issued without expected user consent |
| m365:unified | Session creation without MFA or login event |
| WinEventLog:ADFS | Token issuance events showing anomalous claims or issuers |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0148 | Detection Strategy for Forged SAML Tokens | T1606.002 |
| DET0260 | Detection Strategy for Forged Web Credentials | T1606 |