T1606

Forge Web Credentials

Credential Access

This detection identifies adversaries forging web credentials including SAML tokens, JWT assertions, AWS temporary security credentials, and session cookies by leveraging obtained secrets such as AD FS signing certificates, private keys, or application secrets. Unlike credential theft, web credential forging generates net-new authentication material that can impersonate any user and bypass MFA. Detection monitors anomalous SAML and WS-Federation authentication patterns in Azure AD sign-in logs, suspicious AWS STS API activity (AssumeRole, GetFederationToken, AssumeRoleWithSAML) from unusual principals, PowerShell and scripting process activity consistent with known token-forging frameworks such as AADInternals and Shimit (Golden SAML), federation configuration changes followed by elevated token issuance rates, and access from non-compliant or unregistered devices authenticating via federated protocols.

Microsoft Sentinel / Defender
kusto 
let lookback = 7d;
let saml_spike_threshold = 5;
// Detection 1: High-volume or multi-geography SAML/WS-Fed token issuance (possible forged token replay)
let SamlAnomalies = AADSignInLogs
| where TimeGenerated > ago(lookback)
| where AuthenticationProtocol in ("saml20", "wsfed", "oauthpasswordgrant")
| where ResultType == 0
| extend GeoCountry = tostring(LocationDetails.countryOrRegion)
| extend IsCompliant = tostring(DeviceDetail.isCompliant)
| extend IsManagedDevice = tostring(DeviceDetail.isManaged)
| summarize
    SignInCount = count(),
    UniqueIPs = dcount(IPAddress),
    Countries = make_set(GeoCountry),
    Apps = make_set(AppDisplayName),
    IPList = make_set(IPAddress)
    by UserPrincipalName, AuthenticationProtocol, IsCompliant, IsManagedDevice, bin(TimeGenerated, 1h)
| where SignInCount > saml_spike_threshold or array_length(Countries) > 2 or UniqueIPs > 3
| extend RiskScore = case(
    array_length(Countries) > 3, 90,
    UniqueIPs > 5, 80,
    SignInCount > 20, 75,
    array_length(Countries) > 1 and IsCompliant == "false", 70,
    SignInCount > saml_spike_threshold, 50,
    40)
| extend AlertReason = strcat(
    "Suspicious SAML/federation token activity: ",
    SignInCount, " sign-ins from ",
    array_length(Countries), " countries, ",
    UniqueIPs, " IPs")
| project TimeGenerated, UserPrincipalName, AuthenticationProtocol, SignInCount,
    UniqueIPs, Countries, IPList, Apps, IsCompliant, IsManagedDevice, RiskScore, AlertReason;
// Detection 2: Federation configuration changes (pre-condition for Golden SAML)
let FedChanges = AuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName in (
    "Set domain authentication",
    "Update domain",
    "Set federation settings on domain",
    "Add federated domain",
    "Set DirSyncEnabled flag",
    "Update StsRefreshTokensValidFrom Timestamp",
    "Update authorization policy")
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingApp = tostring(InitiatedBy.app.displayName)
| extend TargetResource = tostring(TargetResources[0].displayName)
| project TimeGenerated, OperationName, InitiatingUser, InitiatingApp, TargetResource, Result
| extend AlertReason = strcat("Federation configuration change: ", OperationName)
| extend RiskScore = 85;
// Detection 3: AWS STS token generation from suspicious principals (via Azure Sentinel AWS connector)
let AwsSts = CommonSecurityLog
| where TimeGenerated > ago(lookback)
| where DeviceVendor == "Amazon Web Services"
| where Activity in ("AssumeRole", "GetFederationToken", "AssumeRoleWithSAML", "AssumeRoleWithWebIdentity")
| where DeviceAction != "NOACTION"
| extend SourcePrincipal = tostring(extract("userName=([^,]+)", 1, AdditionalExtensions))
| extend RoleArn = tostring(extract("requestRoleArn=([^,]+)", 1, AdditionalExtensions))
| where SourcePrincipal !contains "i-" and SourcePrincipal !contains "AROA" // Exclude EC2 instance profiles
| project TimeGenerated, SourceIP, SourceUserName, Activity, DeviceAddress, RoleArn, AdditionalExtensions
| extend AlertReason = strcat("Suspicious AWS STS credential generation: ", Activity)
| extend RiskScore = 75;
union SamlAnomalies, FedChanges, AwsSts
| extend TechniqueId = "T1606"
| order by RiskScore desc, TimeGenerated desc
high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID AWS CloudTrail via Sentinel Connector

Required Tables

AADSignInLogs AuditLogs CommonSecurityLog

False Positives

  • Federated SSO environments where many users sign in via SAML simultaneously (e.g., shift start in a large org) will trigger the sign-in volume threshold — tune saml_spike_threshold per baseline
  • Legitimate IT admin or privileged identity management tools that use GetFederationToken or AssumeRole for automation (AWS Lambda, CI/CD pipelines, AWS Config) will appear in the STS detection — build exclusion lists for known service principals
  • Directory synchronization tools (Azure AD Connect, Okta provisioning) make federation configuration changes during scheduled sync operations and upgrades — correlate with change management records
  • Security awareness or red team exercises using AADInternals or similar tooling in authorized testing windows will trigger both the federation change and SAML anomaly detections
Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1606 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Same Tactic: Credential Access

Popular Detections