Skip to content

DET0148 Detection Strategy for Forged SAML Tokens

Item Value
ID DET0148
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1606.002 (SAML Tokens)

Analytics

Identity Provider

AN0418

Forged SAML tokens can be observed as authentication attempts with valid signatures but missing expected preceding Kerberos or authentication events. Defenders may correlate SAML assertions with absent Event IDs 4769, 1200, or 1202, or tokens issued with abnormal lifetimes, issuers, or claims compared to baseline.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) azure:signinlogs SAML-based login with anomalous issuer or NotOnOrAfter lifetime
User Account Authentication (DC0002) WinEventLog:Security EventCode=4769, 1200, 1202
Mutable Elements
Field Description
TokenLifetimeThreshold Defines the maximum expected lifetime of a SAML token (e.g., >1 hour considered anomalous).
TrustedIssuerList List of approved SAML issuers and certificate thumbprints.

IaaS

AN0419

Forged SAML tokens in IaaS environments often manifest as cross-cloud or cross-account authentication without matching STS events. Defenders may see AssumeRole or GetFederationToken API usage without a corresponding SAML assertion log from the trusted IdP.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) AWS:CloudTrail AssumeRoleWithSAML
Logon Session Creation (DC0067) CloudTrail:Signin SAML login without corresponding IdP authentication log
Mutable Elements
Field Description
CrossAccountUsage Flag SAML tokens used across unexpected accounts or cloud tenants.

Windows

AN0420

Forged SAML tokens may be used on Windows systems to authenticate to federated apps without normal Kerberos activity. Defenders may detect anomalous event correlation, where access to SaaS/O365 via SAML occurs without prior TGT requests or user logons.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Web Credential Creation (DC0006) WinEventLog:ADFS Token issuance events showing anomalous claims or issuers
Mutable Elements
Field Description
ClaimAnomalyThreshold Number of unusual claims in a SAML token (e.g., excessive privileges).

SaaS

AN0421

Forged SAML tokens can appear as SaaS logins where authentication succeeded without MFA, or where tokens contain claims inconsistent with the user profile. Look for concurrent sessions across different geographies with the same SAML assertion ID.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) saas:access SAML token accepted without preceding login challenge
Logon Session Metadata (DC0088) m365:unified Abnormal user claims or unexpected elevated role assignment in SAML assertion
Mutable Elements
Field Description
GeoVelocityThreshold Triggers when same SAML token used in different geographies within short timeframe.

Office Suite

AN0422

Forged SAML tokens may be leveraged to access O365 apps such as Outlook or SharePoint. Defenders should monitor for token replay across multiple clients or access attempts to privileged mailboxes without prior interactive login.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) m365:exchange Mailbox access using SAML token without corresponding MFA event
Logon Session Creation (DC0067) m365:sharepoint File access with forged or anomalous SAML claims
Mutable Elements
Field Description
ReplayDetectionThreshold Number of times a token is reused within short timeframe.