Detections
Analytics
Forge Web Credentials:SAML Tokens(Azure)
Description
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the
NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Windows Services | Plugin ID: 44401 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: Forge Web Credentials
Sub-Technique: SAML Tokens
Platform: Entra ID
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2024 Q2