Dissecting the Golden SAML Attack Used by Attackers Exploiting the SUNBURST Backdoor

Webinar Registration

The SUNBURST backdoor inserted into SolarWinds constitutes the worst ever supply chain attack, but it was just the beginning for organizations actually targeted via SUNBURST. In my webinar on that attack, we pointed out that it gave attackers access to Orion systems on victim networks, that by virtue of being a trusted monitoring platform, it has privileged access throughout most environments where it’s deployed.

Once you gain control of a system like Orion, you basically have a ticket to ride. And ride they did. Many victims experienced a compromise of their Office 365 email accounts. How did attackers get from Orion — usually running on the on-prem network — to the Microsoft cloud?

They did it via the Golden SAML attack.

The standard ways for organizations to get single identity between Office 365 and on-prem AD is either:

  • Synchronization: Azure AD Connect runs on an on-prem service and projects a copy of users and groups in your on-prem AD into Azure AD.
  • Federation: Instead of maintaining a copy of users and groups in Azure AD, you set up your Office 365 tenant to rely on your ADFS server to authenticate logons to Office 365 against your on-prem AD on the fly. ADFS employs tokens expressed in Security Assertion Markup Language (SAML).

Golden SAML is an attack against the latter in which the attacker steals the private key of your ADFS server and uses it to forge a SAML token that for all intents and purposes looks like a legit token issued by your ADFS server. Office 365 trusts it and allows the attack to access any Office 365 resource available to the impersonated user — including their mailbox.

In this webinar, I will briefly introduce you to federation and SAML and how it works in Office 365. And I will discuss how attackers exploited selected installations of the SUNBURST backdoor to laterally move to the victim organization’s ADFS server and stole its private key.

Then, joined by the very knowledgeable security researchers Sally Vincent and Dan Kaiser from LogRhythm Labs, we will show you:

  • How a Golden SAML attack works
  • Possible ways to mitigate via preventive controls
  • Methods for detection via SIEM rules and threat hunting
  • What Office 365 logs do and don’t tell us about federated logins

You will see an actual demonstration of an attack by Sally, and we’ll cover the actual event IDs you need to monitor and attempt to correlate from:

  • Domain controllers
  • ADFS servers
  • Office 365 audit log

This will be a highly technical session I think you will really enjoy and benefit from. Especially because we expect to see a lot more Golden SAML attacks this year.

LogRhythm is our sponsor for this real training for free event and you’ll briefly see how their awesome technology combined with their expert research and knowledge engineering gives you a leg up in today’s ever changing threat landscape.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Phone:  
Organization:  
Country:    
State:  
Job Title:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources