伪造Web凭证是指攻击者通过密码学手段或协议漏洞生成虚假身份凭证,用以绕过Web应用及云服务的身份验证机制。与传统凭证窃取不同,该技术通过构造新的合法凭证而非窃取现有凭证,可规避多因素认证等防护措施。防御方通常通过监测异常身份申领行为(如非常规时段令牌请求)、分析凭证使用模式(如跨地域异常访问)以及审查加密签名完整性等手段进行检测与防御。
当前伪造Web凭证匿迹技术的核心演进方向集中于密码学合规化、业务流程寄生化和信任链穿透化。动态令牌云服务伪造通过合法API接口生成官方认可的临时凭证,将攻击行为隐匿于云平台日常运维流量中;加密签名Cookie生成则通过逆向工程会话管理机制,使伪造凭证在加密算法层面与合法凭证完全一致;跨域联合身份伪造利用身份联邦系统的信任传递特性,构造跨安全域的全局有效凭证。三类技术的共性在于突破传统伪造技术的协议仿冒层面,通过深度融入目标系统的密码学基础设施与业务流程规范,使伪造凭证在技术实现、使用场景及信任验证等维度均满足合法凭证的技术标准,从而实现对基于规则匹配、签名校验及行为模式分析的防御体系的全面穿透。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过精确模拟目标系统的凭证生成协议与加密算法,使伪造凭证在数据结构、签名算法及传输协议等特征维度与合法凭证完全一致。例如使用云服务商标准API生成的临时令牌,或符合SAML 2.0规范的联合身份断言,此类凭证在技术特征层面无法与正常业务行为区分,实现攻击行为的协议级伪装。
在加密签名Cookie生成等子技术中,攻击者使用与目标系统相同的加密密钥对伪造凭证进行多层加密,使得凭证内容在传输和存储过程中均处于加密状态。即使防御方捕获凭证数据,也无法通过内容解密直接识别其恶意属性,形成加密层保护下的数据遮蔽效应。
动态令牌云服务伪造技术生成的临时凭证具有严格的有效期限制(通常15分钟至1小时),攻击者通过短期使用后立即废弃的策略,使得恶意凭证的生命周期碎片化分布于不同时间窗口。配合全球分布式代理节点进行凭证使用,进一步稀释攻击行为在时空维度的可检测性,导致传统基于长周期行为分析的检测机制失效。
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed. Enable advanced auditing on ADFS. Check the success and failure audit options in the ADFS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.[1] |
| M1026 | Privileged Account Management |
Restrict permissions and access to the AD FS server to only originate from privileged access workstations.[1] |
| M1054 | Software Configuration |
Configure browsers/applications to regularly delete persistent web credentials (such as cookies). |
| M1018 | User Account Management |
Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.[2] In AWS environments, prohibit users from calling the |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0028 | Logon Session | Logon Session Creation |
Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts and/or using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[4]. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the credentials.[2] |
| DS0006 | Web Credential | Web Credential Creation |
Monitor for creation of access tokens using SAML tokens which do not have corresponding 4769 and 1200 events in the domain.[4] Additionally, detect on unusual API calls to generate access tokens, such as |
| Web Credential Usage |
Monitor for the use of Access Tokens to access services such as Email that were created using SAML tokens which do not have corresponding 1202 events in the domain.[4] |