T1606 Splunk · SPL

Detect Forge Web Credentials in Splunk

This detection identifies adversaries forging web credentials including SAML tokens, JWT assertions, AWS temporary security credentials, and session cookies by leveraging obtained secrets such as AD FS signing certificates, private keys, or application secrets. Unlike credential theft, web credential forging generates net-new authentication material that can impersonate any user and bypass MFA. Detection monitors anomalous SAML and WS-Federation authentication patterns in Azure AD sign-in logs, suspicious AWS STS API activity (AssumeRole, GetFederationToken, AssumeRoleWithSAML) from unusual principals, PowerShell and scripting process activity consistent with known token-forging frameworks such as AADInternals and Shimit (Golden SAML), federation configuration changes followed by elevated token issuance rates, and access from non-compliant or unregistered devices authenticating via federated protocols.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1606 Forge Web Credentials
Canonical reference
https://attack.mitre.org/techniques/T1606/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| search EventCode IN ("1", "4688")
| eval process_name=lower(coalesce(Image, NewProcessName, ""))
| eval command_line=coalesce(CommandLine, ProcessCommandLine, "")
| eval parent_process=lower(coalesce(ParentImage, ParentProcessName, ""))
| eval user=coalesce(User, SubjectUserName, "")
| eval hostname=coalesce(Computer, host)
| eval ts=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval risk_score=0
`comment("--- Credential forging framework detection ---")`
| eval risk_score=risk_score + if(match(command_line, "(?i)(AADInternals|Open-AzureOffice365Connection|ConvertTo-AADToken|Get-AADIntAccessToken|New-AADIntSAMLToken)"), 70, 0)
| eval risk_score=risk_score + if(match(command_line, "(?i)(golden[_\-\s]saml|shimit|ADFSpoof|samlReplay|Invoke-ADFSTokenSigning)"), 80, 0)
| eval risk_score=risk_score + if(match(command_line, "(?i)(Get-ADFSProperties|Export-PfxCertificate.*ADFS|Get-ADFSCertificate)"), 50, 0)
`comment("--- AWS STS credential forging via CLI ---")`
| eval risk_score=risk_score + if(match(command_line, "(?i)sts.*(assume-role-with-saml|get-federation-token|assume-role-with-web-identity)"), 60, 0)
`comment("--- Zimbra preauth key abuse ---")`
| eval risk_score=risk_score + if(match(command_line, "(?i)zmprov.*gdpak|zimbra.*preauth"), 55, 0)
`comment("--- JWT forgery patterns ---")`
| eval risk_score=risk_score + if(match(command_line, "(?i)(jwt.*forge|sign.*jwt|HS256.*secret|RS256.*privkey|none.*algorithm)"), 50, 0)
`comment("--- Suspicious parent process context ---")`
| eval risk_score=risk_score + if(match(process_name, "(?i)(powershell|pwsh)") AND match(parent_process, "(?i)(winword|excel|outlook|chrome|firefox|msedge)"), 25, 0)
| where risk_score >= 40
| eval detection_reason=case(
    match(command_line, "(?i)(AADInternals|golden[_\-\s]saml|ADFSpoof|samlReplay)"), "Known credential forging tool invocation",
    match(command_line, "(?i)Get-ADFSCertificate|Export-PfxCertificate.*ADFS"), "AD FS certificate extraction attempt",
    match(command_line, "(?i)sts.*(assume-role-with-saml|get-federation-token)"), "AWS STS federation token generation",
    match(command_line, "(?i)zmprov.*gdpak"), "Zimbra preauth key generation",
    1==1, "Credential forging behavioral pattern")
| stats count as event_count,
    max(risk_score) as max_risk,
    values(command_line) as command_lines,
    values(process_name) as processes,
    values(parent_process) as parent_processes,
    values(detection_reason) as reasons
    by hostname, user
| where max_risk >= 40
| eval severity=case(max_risk >= 70, "Critical", max_risk >= 50, "High", "Medium")
| sort - max_risk
| table hostname, user, severity, max_risk, event_count, reasons, processes, command_lines, parent_processes
high severity medium confidence

Detects process creation events on Windows hosts consistent with web credential forging activity: invocation of known tools such as AADInternals PowerShell module (Open-AzureOffice365Connection, New-AADIntSAMLToken), Golden SAML frameworks (Shimit, ADFSpoof), AD FS certificate extraction commands, AWS CLI STS federation token requests, Zimbra preauth key generation (zmprov gdpak), and JWT algorithm manipulation patterns. Events are scored by risk tier and grouped by host and user to surface compound credential forging sequences.

Data Sources

SysmonWindows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Security teams using AADInternals legitimately for Azure AD administration, auditing, or authorized penetration testing — add authorized host/user exclusions to the risk scoring block
  • AWS CLI usage of assume-role in DevOps pipelines, CI/CD automation, and cloud engineers rotating credentials — build an exclusion list of known automation service accounts
  • JWT library testing and development activity using Python or Node.js JWT packages on developer workstations — exclude development hosts by hostname prefix or subnet
  • AD FS certificate exports during scheduled PKI certificate renewals or disaster recovery procedures — correlate with change management tickets and maintenance windows
Download portable Sigma rule (.yml)

Other platforms for T1606

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Golden SAML Token Forging via AADInternals

    Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe with CommandLine containing 'AADInternals', 'New-AADIntSAMLToken', 'Import-Module AADInternals'. PowerShell Event ID 4104 (ScriptBlock Logging) with full decoded script content. Sysmon Event ID 7 (Image Load) for Microsoft.IdentityModel or System.IdentityModel assemblies from user profile path.

  2. Test 2AWS STS GetFederationToken Credential Generation

    Expected signal: Sysmon Event ID 1 for aws.exe process with CommandLine containing 'get-federation-token' and 'assume-role-with-saml'. Windows Security Event 4688 (if Sysmon not available) for same process. AWS CloudTrail event: sts.amazonaws.com, eventName=GetFederationToken, sourceIPAddress of the test host.

  3. Test 3JWT Token Forging with Algorithm Confusion (None Algorithm)

    Expected signal: Sysmon Event ID 1 (Linux: auditd execve) for python3 process with CommandLine containing 'none', 'algorithm', 'jwt', 'forge'. Linux syslog records python3 invocation. Process arguments visible in /proc/<pid>/cmdline during execution.

  4. Test 4Zimbra Pre-Authentication Key Generation (T1606 Variant)

    Expected signal: Sysmon Event ID 1 for bash and python3 processes with CommandLine containing 'zmprov', 'gdpak', 'zimbra', 'preauth'. Linux auditd EXECVE records for bash -c with zmprov pattern. /tmp/zimbra_preauth_test.txt file creation event.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1606 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1606.001Web CookiesT1606.002SAML TokensT1550Use Alternate Authentication MaterialT1539Steal Web Session CookieT1552.004Private KeysT1556.003Pluggable Authentication ModulesT1003.002Security Account ManagerT1557Adversary-in-the-MiddleT1098.001Additional Cloud CredentialsT1110.001Password Guessing

Same Tactic: Credential Access

Popular Detections