AN0418: Analytic 0418

Forged SAML tokens can be observed as authentication attempts with valid signatures but missing expected preceding Kerberos or authentication events. Defenders may correlate SAML assertions with absent Event IDs 4769, 1200, or 1202, or tokens issued with abnormal lifetimes, issuers, or claims compared to baseline.

EnterpriseAN0418AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because forged SAML tokens can let an attacker appear to authenticate successfully through an identity provider even when the normal upstream authentication trail is missing or inconsistent. For leaders, the practical question is whether identity telemetry is complete enough to prove that a SAML-based login was legitimately issued, not just whether the token signature looked valid.

Executive priority

Prioritize this as an identity assurance and incident readiness issue. SAML is often used for high-value enterprise access, so investigations, audits, and containment decisions depend on being able to correlate token use with expected authentication events and normal token characteristics. Security leaders should ask whether the organization can baseline SAML issuers, claims, and token lifetimes, and whether SOC and IR teams can quickly identify authentications that lack expected preceding Kerberos or identity-provider evidence.

Technical view

The supplied analytic is scoped to Identity Provider telemetry. SOC and detection teams should validate correlation between SAML assertions and expected preceding authentication records, specifically looking for validly signed authentication attempts where expected Event IDs 4769, 1200, or 1202 are absent. Teams should also baseline normal SAML token lifetime, issuer, and claims patterns so abnormal assertions can be reviewed in context. Because no ATT&CK tactic or relationship context is supplied, this should be treated as a detection analytic for identity-provider anomaly validation rather than a complete technique coverage statement.

Likely telemetry

Identity provider authentication logs
SAML assertion or token issuance records
Kerberos-related authentication events, including Event ID 4769 where applicable
Identity-provider events corresponding to Event IDs 1200 and 1202 where applicable
Token metadata including issuer, claims, signature status, and lifetime

Detection direction

Validate that SAML authentication events can be correlated to expected preceding Kerberos or identity-provider authentication events.
Alert or review cases where a SAML token has a valid signature but expected preceding Event IDs 4769, 1200, or 1202 are missing.
Baseline normal SAML token lifetimes, issuers, and claims before treating deviations as high confidence.
Tune for legitimate federation, service-provider, or identity-provider flows that may not generate the same preceding events in every environment.
Confirm log retention and time synchronization are sufficient; missing events may indicate either suspicious activity or telemetry gaps.

Mitigation priorities

First, ensure identity-provider and authentication logs are enabled, retained, and centrally searchable for SAML and Kerberos correlation.
Next, define baselines for expected SAML issuers, claims, and token lifetimes across normal identity-provider flows.
Then, build incident response playbooks for investigating validly signed SAML authentications with missing prerequisite authentication evidence.
Finally, use findings to strengthen identity governance, audit evidence, and monitoring requirements for federated authentication paths.

Analyst notes and limits

This object is an ATT&CK detection analytic, AN0418, for Identity Provider platforms. The official description focuses on observing forged SAML tokens through correlation gaps and abnormal token properties. No official detection text, tactics, or relationship context were supplied, so this take emphasizes validation of identity telemetry and correlation logic rather than broader adversary behavior.

Assessment is limited to the supplied STIX fields, external reference, and empty relationship context. It does not establish active exploitation, attribution, business impact, or guaranteed detection. Local identity architecture, federation design, logging configuration, and normal authentication patterns are required to determine coverage and alert fidelity.

Official MITRE ATT&CK definition

Analytic 0418

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: c4c2b4fc16196b74...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`c4c2b4fc1619…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0418
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use