T1606 Forge Web Credentials
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.
Adversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.3 Adversaries may also forge tokens by taking advantage of features such as the AssumeRole and GetFederationToken APIs in AWS, which allow users to request temporary security credentials.1
Once forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.524
| Item | Value |
|---|---|
| ID | T1606 |
| Sub-techniques | T1606.001, T1606.002 |
| Tactics | TA0006 |
| Platforms | Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS |
| Version | 1.3 |
| Created | 17 December 2020 |
| Last Modified | 04 May 2023 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed. |
Enable advanced auditing on ADFS. Check the success and failure audit options in the ADFS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.6 |
| M1026| Privileged Account Management | Restrict permissions and access to the AD FS server to only originate from privileged access workstations.6 |
| M1054| Software Configuration | Configure browsers/applications to regularly delete persistent web credentials (such as cookies). |
| M1018| User Account Management | Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.4 In AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0028 | Logon Session | Logon Session Creation |
| DS0006 | Web Credential | Web Credential Creation |
References
-
AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022. ↩
-
Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. ↩
-
Damian Hickey. (2017, January 28). AWS-ADFS-Credential-Generator. Retrieved December 16, 2020. ↩
-
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. ↩↩
-
Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. ↩
-
Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020. ↩↩
-
Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023. ↩
-
Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. ↩