Skip to content

DC0007 Web Credential Usage

Item Value
ID DC0007
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
AWS:CloudTrail SessionToken used without preceding MFA or login event
AWS:CloudTrail AssumeRoleWithSAML
AWS:CloudTrail GetSessionToken, AssumeRoleWithWebIdentity
AWS:CloudTrail AssumeRole, GetFederationToken, GetSessionToken
AWS:CloudTrail GetCallerIdentity
azure:signinlogs TokenIssued, RefreshTokenUsed
azure:signinlogs TokenIssuanceStart, TokenIssuanceSuccess
kubernetes:apiserver serviceAccount token used in API requests not tied to workload identity
m365:exchange Mailbox access using SAML token without corresponding MFA event
m365:unified SessionId reused from different device/browser fingerprint
m365:unified Session activity without correlated login event
m365:unified OAuthTokenIssued, FileAccessed, MailItemsAccessed
m365:unified TokenIssued, FileAccessed
macos:unifiedlog New session initiated using cookies without normal MFA or password validation
macos:unifiedlog Web sessions initiated with newly forged tokens
NSM:Connections Pre-authentication keys generated or token signing anomalies
saas:access SAML token accepted without preceding login challenge
saas:auth API requests made with tokens not associated with expected user logins
saas:googleworkspace OAuthTokenGranted, APIRequest
saas:googleworkspace access_token issued

Detection Strategy

ID Name Technique Detected
DET0338 Behavioral Detection Strategy for Use Alternate Authentication Material (T1550) T1550
DET0185 Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001) T1550.001
DET0074 Detect Use of Stolen Web Session Cookies Across Platforms T1550.004
DET0148 Detection Strategy for Forged SAML Tokens T1606.002
DET0171 Detection Strategy for Forged Web Cookies T1606.001
DET0260 Detection Strategy for Forged Web Credentials T1606