DS0006 Web Credential
Credential material, such as session cookies or tokens, used to authenticate to web applications and services12
| Item | Value |
|---|---|
| ID | DS0006 |
| Platforms | Azure AD, Google Workspace, Linux, Office 365, SaaS, Windows, macOS |
| Collection Layers | Cloud Control Plane, Host |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 30 March 2022 |
Data Components
Web Credential Creation
Initial construction of new web credential material (ex: Windows EID 1200 or 4769)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1606 | Forge Web Credentials |
| enterprise | T1606.002 | SAML Tokens |
Web Credential Usage
An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1606 | Forge Web Credentials |
| enterprise | T1606.001 | Web Cookies |
| enterprise | T1606.002 | SAML Tokens |
| enterprise | T1550 | Use Alternate Authentication Material |
| enterprise | T1550.001 | Application Access Token |
| enterprise | T1550.004 | Web Session Cookie |
References
-
Hsu, S. (2018, June 30). Session vs Token Based Authentication. Retrieved September 29, 2021. ↩
-
Auth0. (n.d.). Access Tokens. Retrieved September 29, 2021. ↩
-
Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. ↩
-
Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023. ↩
-
Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023. ↩