{
  "type": "x-mitre-analytic",
  "spec_version": "2.1",
  "id": "x-mitre-analytic--5d2820b1-af59-4ca2-9f9e-b5bc76f55395",
  "created": "2025-10-21T15:10:28.402Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/detectionstrategies/DET0148#AN0420",
      "external_id": "AN0420"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2025-11-12T22:03:39.105Z",
  "name": "Analytic 0420",
  "description": "Forged SAML tokens may be used on Windows systems to authenticate to federated apps without normal Kerberos activity. Defenders may detect anomalous event correlation, where access to SaaS/O365 via SAML occurs without prior TGT requests or user logons.",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_deprecated": false,
  "x_mitre_version": "1.0",
  "x_mitre_attack_spec_version": "3.3.0",
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_platforms": [
    "Windows"
  ],
  "x_mitre_log_source_references": [
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
      "name": "WinEventLog:Security",
      "channel": "EventCode=4624, 4648"
    },
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3",
      "name": "WinEventLog:ADFS",
      "channel": "Token issuance events showing anomalous claims or issuers"
    }
  ],
  "x_mitre_mutable_elements": [
    {
      "field": "ClaimAnomalyThreshold",
      "description": "Number of unusual claims in a SAML token (e.g., excessive privileges)."
    }
  ]
}