T1606.002 SAML Tokens Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1606.002 — Golden SAML: Forged SAML Token Detection
// Three detection branches covering: (1) DKM cert extraction, (2) federation trust changes, (3) anomalous SAML sign-ins
let GoldenSAMLAlerts = union
//
// Branch 1: AD FS DKM Container Access (token-signing cert extraction via LDAP)
// Event 4662 fires when an object in Active Directory is accessed.
// The AD FS DKM container stores encrypted token-signing keys. Access by anything other
// than the ADFS service account is highly suspicious.
(
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4662
    | where (
        (ObjectName has "ADFS" and ObjectName has "Program Data")
        or ObjectName has "CryptoPolicy"
        or Properties has "72e39547-7b18-11d1-adef-00c04fd8d5cd"   // thumbnailPhoto GUID (stores DKM keys)
        or Properties has "thumbnailPhoto"
    )
    | where SubjectUserName !endswith "$"      // Exclude computer accounts (ADFS service account uses computer account)
    | extend DetectionBranch = "DKM_Container_Access"
    | extend RiskScore = 90
    | project TimeGenerated, DetectionBranch, RiskScore,
              AccountName = SubjectUserName, AccountDomain = SubjectDomainName,
              Computer, EventID,
              ObjectName, AccessedProperties = Properties,
              OperationType
),
//
// Branch 2: Federation Trust Created or Modified in Azure AD
// Adding a new federation trust or changing a domain to federated allows an adversary
// to introduce a rogue IdP they control, enabling arbitrary token forgery.
(
    AuditLogs
    | where TimeGenerated > ago(24h)
    | where OperationName in (
        "Set domain authentication",
        "Set federation settings on domain",
        "Add unverified domain",
        "Add verified domain",
        "Update domain",
        "Set company information"
    )
    | where Result =~ "success"
    | extend ModifiedProperties = tostring(TargetResources[0].modifiedProperties)
    | where ModifiedProperties has "Federated" or ModifiedProperties has "federationSettings" or OperationName has "federation"
    | extend DetectionBranch = "Federation_Trust_Modified"
    | extend RiskScore = 95
    | extend AccountName = tostring(InitiatedBy.user.userPrincipalName)
    | extend TargetDomain = tostring(TargetResources[0].displayName)
    | project TimeGenerated, DetectionBranch, RiskScore,
              AccountName, AccountDomain = "AzureAD",
              Computer = "AzureAD", EventID = 0,
              ObjectName = OperationName,
              AccessedProperties = ModifiedProperties,
              OperationType = TargetDomain
),
//
// Branch 3: Anomalous SAML-protocol Sign-ins with Elevated Risk
// Forged SAML tokens may generate sign-in events with unusual characteristics:
// high-risk state, sign-in from atypical locations, or impossible travel.
// Filter to SAML 2.0 protocol sign-ins flagged by Identity Protection.
(
    SigninLogs
    | where TimeGenerated > ago(24h)
    | where AuthenticationProtocol =~ "saml20"
    | where RiskLevelDuringSignIn in ("high", "medium")
          or RiskState in ("atRisk", "confirmedCompromised")
          or (ResultType == 0 and IsRisky == true)
    | extend DetectionBranch = "Anomalous_SAML_Signin"
    | extend RiskScore = case(
        RiskLevelDuringSignIn =~ "high" or RiskState =~ "confirmedCompromised", 85,
        RiskLevelDuringSignIn =~ "medium" or RiskState =~ "atRisk", 65,
        50
    )
    | extend GeoInfo = strcat(tostring(LocationDetails.city), ", ", tostring(LocationDetails.countryOrRegion))
    | project TimeGenerated, DetectionBranch, RiskScore,
              AccountName = UserPrincipalName, AccountDomain = "AzureAD",
              Computer = AppDisplayName, EventID = 0,
              ObjectName = strcat("SAML SignIn: ", AppDisplayName),
              AccessedProperties = strcat("Risk:", RiskLevelDuringSignIn, " Location:", GeoInfo, " IP:", IPAddress),
              OperationType = AuthenticationProtocol
);
GoldenSAMLAlerts
| sort by RiskScore desc, TimeGenerated desc

critical severity high confidence

Data Sources

Active Directory: Active Directory Object Access (Event 4662) Azure AD: Audit Logs (federation trust changes) Azure AD: Sign-in Logs (anomalous SAML authentications) Identity Provider: Authentication Logs

Required Tables

SecurityEvent AuditLogs SigninLogs

False Positives

AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1
Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing
Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes

Splunk

spl

| union
(
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4662
  | eval ObjectName_lc=lower(ObjectName)
  | eval Properties_lc=lower(Properties)
  | where (match(ObjectName_lc, "adfs") AND match(ObjectName_lc, "program data"))
       OR match(ObjectName_lc, "cryptopolicy")
       OR match(Properties_lc, "thumbnailphoto")
       OR match(Properties_lc, "72e39547-7b18-11d1-adef-00c04fd8d5cd")
  | where NOT match(SubjectUserName, "\\$$")
  | eval DetectionBranch="DKM_Container_Access"
  | eval RiskScore=90
  | eval Summary=SubjectUserName." accessed AD FS DKM container: ".ObjectName
  | table _time, host, SubjectUserName, SubjectDomainName, ObjectName, OperationType, Properties, DetectionBranch, RiskScore, Summary
)
| append
[
  search index=azure sourcetype="azure:aad:auditlogs"
    (operationName="Set domain authentication" OR operationName="Set federation settings on domain" OR operationName="Add unverified domain" OR operationName="Add verified domain")
    result=success
  | eval modifiedProps=mvjoin(modifiedProperties{}.newValue, ", ")
  | where match(lower(modifiedProps), "federat") OR match(lower(operationName), "federat")
  | eval DetectionBranch="Federation_Trust_Modified"
  | eval RiskScore=95
  | eval ActorUPN=coalesce(initiatedBy.user.userPrincipalName, initiatedBy.app.displayName, "unknown")
  | eval Summary=ActorUPN." modified federation trust: ".operationName
  | table _time, ActorUPN, operationName, targetResources{}.displayName, modifiedProps, DetectionBranch, RiskScore, Summary
]
| append
[
  search index=azure sourcetype="azure:aad:signinlogs" authenticationProtocol=saml20
    (riskLevelDuringSignIn=high OR riskLevelDuringSignIn=medium OR riskState=atRisk OR riskState=confirmedCompromised)
  | eval DetectionBranch="Anomalous_SAML_Signin"
  | eval RiskScore=case(riskLevelDuringSignIn=="high" OR riskState=="confirmedCompromised", 85,
                        riskLevelDuringSignIn=="medium" OR riskState=="atRisk", 65,
                        true(), 50)
  | eval GeoInfo=location.city.", ".location.countryOrRegion
  | eval Summary=userPrincipalName." SAML sign-in to ".appDisplayName." from ".ipAddress." (".GeoInfo.")"
  | table _time, userPrincipalName, appDisplayName, ipAddress, GeoInfo, riskLevelDuringSignIn, riskState, DetectionBranch, RiskScore, Summary
]
| eval SortTime=_time
| sort - RiskScore, - SortTime

critical severity high confidence

Data Sources

Active Directory: Directory Service Object Access (Event 4662) Azure AD: Audit Logs Azure AD: Sign-in Logs (SAML)

Required Sourcetypes

WinEventLog:Security azure:aad:auditlogs azure:aad:signinlogs

False Positives

AD FS service computer accounts (name ending in $) accessing DKM during normal token issuance — these are excluded by the SubjectUserName filter but verify exclusion is working
Authorized identity administrators performing planned federation deployments or migrations to cloud services — correlate with approved change tickets
Identity Protection false positives on SAML-federated accounts using legitimate VPNs or travelling internationally
AD backup solutions performing deep AD attribute reads on program data containers
Azure AD Connect cloud sync operations that may appear as federation-related audit events during directory sync configuration

Elastic Security (EQL)

eql

any where event.dataset in ("azure.signinlogs", "o365.audit") and (kibana.alert.rule.name : "SAML*" or event.outcome : "success" and source.geo.country_iso_code != "US" and user_agent.name : ("python*", "curl*", "Go-http-client*")) or (event.action : "UserLoggedIn" and event.provider : "Exchange" and not user_agent.original : ("Microsoft*", "Mozilla*"))

critical severity high confidence

Data Sources

Azure Active Directory Microsoft 365 Defender Okta

Required Tables

logs-azure.signinlogs-* logs-o365.audit-* .alerts-security.*

False Positives

AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1
Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing
Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes

IBM QRadar (AQL)

sql

SELECT username as "Username", sourceip as "SourceIP", devicetime as "EventTime", UTF8(payload) as "EventDetails", CASE WHEN UTF8(payload) ILIKE '%SAML%' AND UTF8(payload) ILIKE '%forged%' THEN 100 WHEN UTF8(payload) ILIKE '%Golden SAML%' OR UTF8(payload) ILIKE '%ADFSDump%' THEN 100 WHEN UTF8(payload) ILIKE '%token%' AND UTF8(payload) ILIKE '%unusual location%' THEN 70 ELSE 55 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Microsoft Office 365', 'Microsoft Windows Security Event Log') AND (UTF8(payload) ILIKE '%SAML%' OR UTF8(payload) ILIKE '%token%' OR eventid IN (4769, 1007, 1200, 1202)) ORDER BY "RiskScore" DESC LAST 1 HOURS

critical severity high confidence

Data Sources

Microsoft Azure Active Directory Microsoft Office 365 Windows Security Event Log

Required Tables

events

False Positives

AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1
Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing
Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes

Sumo Logic CSE

sql

_sourceCategory=azure/ad/signin OR _sourceCategory=o365/audit | json auto | where error_code in ("0", "50158", "50074", "50076") or event_action matches "*SAML*" or event_source matches "*ADFS*" | if(matches(event_action, "*ADFSSecretDump*") or matches(event_action, "*Golden SAML*"), "Critical", if(matches(error_code, "0") and !matches(user_agent, "*Microsoft*"), "High", "Medium")) as RiskLevel | stats count by user_principal_name, source_ip, RiskLevel | sort by count desc

critical severity high confidence

Data Sources

Azure AD Sign-in Logs Office 365 Audit Logs

Required Tables

azure/ad/signin o365/audit

False Positives

AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1
Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing
Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes

Google Chronicle / SecOps

yaral

rule detect_forge_web_credentials {
  meta:
    author = "Argus"
    description = "Detects forged web credential usage including SAML token abuse"
    severity = "HIGH"
    technique = "T1606"
  events:
    $e.metadata.event_type = "SSO"
    $e.metadata.product_name = "Microsoft Azure Active Directory"
    (
      $e.security_result.category = "POLICY_VIOLATION" or
      re.regex($e.principal.user.user_display_name, `.`) and
      not re.regex($e.principal.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)`) 
    )
  condition:
    $e
}

critical severity high confidence

Data Sources

Azure AD Office 365 ADFS Logs

Required Tables

SSO USER_LOGIN USER_UNCATEGORIZED

False Positives

AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1
Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing
Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes

CrowdStrike LogScale (CQL)

cql

#event_simpleName=UserLogon
| AuthenticationPackage = /SAML|Kerberos|NTLM/i
| LogonType = "3"
| case {
    UserSid = "S-1-5-18" | AccountType := "System";
    RemoteIP != "" | AccountType := "RemoteLogon";
    * | AccountType := "Unknown"
  }
| stats count(UserName) as LogonCount by UserName, RemoteIP, AuthenticationPackage
| where LogonCount > 10
| table([@timestamp, UserName, RemoteIP, AuthenticationPackage, LogonCount])

critical severity high confidence

Data Sources

UserLogon (Falcon sensor)

Required Tables

UserLogon SsoApplicationActivity

False Positives

AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1
Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing
Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes

SAML Tokens

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections