Moving Laterally to the Microsoft 365 Cloud using a Simulated Domain Trust Modification Attack

Webinar Registration

The months following last December’s SolarWinds SUNBURST supply chain attack have brought forth plenty of intelligence around the tactics, techniques, and processes used to compromise thousands of organization’s networks. The threat actors, dubbed the APT group UNC2452, were able to not just move laterally within the victim’s on-premises environment, but also jumped from on-prem to their Microsoft 365 tenant.

This hybrid movement can occur via a “Golden SAML” attack, that includes the manipulation of the domain federation trust settings in Azure and potentially within the on-premises AD Federated Services deployment (MITRE ATT&CK technique T1484.002 - Domain Trust Modification) by configuring the domain to accept authorization tokens signed by UNC2452’s SAML signing certificate (technique T1606.002 – Forge Web Credentials: SAML tokens).

In this real-training-for-free session, Microsoft MVP and cybersecurity expert Nick Cavalancia takes my seat, and will first discuss:

The role of ADFS, domain trusts, and certificates
The value of moving laterally from on-prem to the cloud
The potential impact both for the initial and subsequent attacks

Nick will then be joined by Brian Coulson - Threat Research Principal Engineer, Sally Vincent – Threat Research Senior Engineer, and Dan Kaiser – Threat Research Senior Engineer all at LogRhythm, who will provide multiple perspectives while simulating the attack and exploring the log artifacts of the attack from within the LogRhythm SIEM.

Brian, Sally, and Dan will explore how a malicious actor could add a federated domain to a Microsoft 365 tenant and discuss how the addition of the federated domain will enable the attacker’s progression towards their objectives. They will simulate the attack and then consider the attack from the standpoint of threat hunter or detection engineer, examining the log artifacts from Azure and on-premises sources. Finally, they will demonstrate threat hunting and real time detection of this technique in the LogRhythm SIEM.

This real training for free event will be jam packed with technical detail and real-world application. Register today!

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Organization:	Required
Country:	Required
State:	Required
Zip/Postal Code:	Required
Job Title:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.