title: SAML Tokens (T1606.002)
id: df00tech-t1606-002
status: experimental
description: "Adversaries may forge SAML tokens with arbitrary permissions and lifetimes if they possess a valid SAML token-signing certificate. Known as 'Golden SAML,' this attack allows adversaries to authenticate to any service trusting a federated identity provider (IdP) without needing user credentials or MFA. Attackers typically extract the token-signing certificate from AD FS using the Distributed Key Manager (DKM) container in Active Directory, or establish a new rogue federation trust. The SolarWinds/SUNBURST campaign demonstrated this technique at scale, enabling attackers to forge SAML tokens for any cloud identity in Microsoft 365 and Azure AD."
references:
  - https://attack.mitre.org/techniques/T1606/002/
  - https://df00tech.com/detections/T1606.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1606.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1"
  - Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
  - Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
  - "AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing"
  - Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes
level: critical