Detect Forge Web Credentials in IBM QRadar
This detection identifies adversaries forging web credentials including SAML tokens, JWT assertions, AWS temporary security credentials, and session cookies by leveraging obtained secrets such as AD FS signing certificates, private keys, or application secrets. Unlike credential theft, web credential forging generates net-new authentication material that can impersonate any user and bypass MFA. Detection monitors anomalous SAML and WS-Federation authentication patterns in Azure AD sign-in logs, suspicious AWS STS API activity (AssumeRole, GetFederationToken, AssumeRoleWithSAML) from unusual principals, PowerShell and scripting process activity consistent with known token-forging frameworks such as AADInternals and Shimit (Golden SAML), federation configuration changes followed by elevated token issuance rates, and access from non-compliant or unregistered devices authenticating via federated protocols.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1606 Forge Web Credentials
- Canonical reference
- https://attack.mitre.org/techniques/T1606/
QRadar Detection Query
SELECT username as "Username", sourceip as "SourceIP", devicetime as "EventTime", UTF8(payload) as "EventDetails", CASE WHEN UTF8(payload) ILIKE '%SAML%' AND UTF8(payload) ILIKE '%forged%' THEN 100 WHEN UTF8(payload) ILIKE '%Golden SAML%' OR UTF8(payload) ILIKE '%ADFSDump%' THEN 100 WHEN UTF8(payload) ILIKE '%token%' AND UTF8(payload) ILIKE '%unusual location%' THEN 70 ELSE 55 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Microsoft Office 365', 'Microsoft Windows Security Event Log') AND (UTF8(payload) ILIKE '%SAML%' OR UTF8(payload) ILIKE '%token%' OR eventid IN (4769, 1007, 1200, 1202)) ORDER BY "RiskScore" DESC LAST 1 HOURSIBM QRadar AQL translation of the T1606 detection. Uses SQL-like syntax with risk scoring. Detects three suspicious patterns consistent with web credential forging: (1) anomalous SAML/WS-Fede
Data Sources
Required Tables
False Positives & Tuning
- Federated SSO environments where many users sign in via SAML simultaneously (e.g., shift start in a large org) will trigger the sign-in volume threshold — tune saml_spike_threshold per baseline
- Legitimate IT admin or privileged identity management tools that use GetFederationToken or AssumeRole for automation (AWS Lambda, CI/CD pipelines, AWS Config) will appear in the STS detection — build exclusion lists for known service principals
- Directory synchronization tools (Azure AD Connect, Okta provisioning) make federation configuration changes during scheduled sync operations and upgrades — correlate with change management records
- Security awareness or red team exercises using AADInternals or similar tooling in authorized testing windows will trigger both the federation change and SAML anomaly detections
Other platforms for T1606
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Golden SAML Token Forging via AADInternals
Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe with CommandLine containing 'AADInternals', 'New-AADIntSAMLToken', 'Import-Module AADInternals'. PowerShell Event ID 4104 (ScriptBlock Logging) with full decoded script content. Sysmon Event ID 7 (Image Load) for Microsoft.IdentityModel or System.IdentityModel assemblies from user profile path.
- Test 2AWS STS GetFederationToken Credential Generation
Expected signal: Sysmon Event ID 1 for aws.exe process with CommandLine containing 'get-federation-token' and 'assume-role-with-saml'. Windows Security Event 4688 (if Sysmon not available) for same process. AWS CloudTrail event: sts.amazonaws.com, eventName=GetFederationToken, sourceIPAddress of the test host.
- Test 3JWT Token Forging with Algorithm Confusion (None Algorithm)
Expected signal: Sysmon Event ID 1 (Linux: auditd execve) for python3 process with CommandLine containing 'none', 'algorithm', 'jwt', 'forge'. Linux syslog records python3 invocation. Process arguments visible in /proc/<pid>/cmdline during execution.
- Test 4Zimbra Pre-Authentication Key Generation (T1606 Variant)
Expected signal: Sysmon Event ID 1 for bash and python3 processes with CommandLine containing 'zmprov', 'gdpak', 'zimbra', 'preauth'. Linux auditd EXECVE records for bash -c with zmprov pattern. /tmp/zimbra_preauth_test.txt file creation event.
References (7)
- https://attack.mitre.org/techniques/T1606/
- https://attack.mitre.org/techniques/T1606/001/
- https://attack.mitre.org/techniques/T1606/002/
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://www.mandiant.com/resources/blog/detecting-and-responding-to-adfs-attacks
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
- https://wiki.zimbra.com/wiki/Preauth
Unlock Pro Content
Get the full detection package for T1606 including response playbook, investigation guide, and atomic red team tests.