| ID | Technique | Tactic |
|---|---|---|
| T1078 | Valid Accounts | Defense Evasion |
Detection: AWS SAML Update identity provider
Description
The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the UpdateSAMLProvider event, analyzing fields such as sAMLProviderArn, sourceIPAddress, and userIdentity details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.
Search
1`cloudtrail` eventName=UpdateSAMLProvider
2| stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5|`aws_saml_update_identity_provider_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudTrail UpdateSAMLProvider |  AWS |
'aws:cloudtrail' |
'aws_cloudtrail' |
Macros Used
| Name | Value |
|---|---|
| cloudtrail | sourcetype=aws:cloudtrail |
| aws_saml_update_identity_provider_filter | search * |
aws_saml_update_identity_provider_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.DELIVERY
KillChainPhase.EXPLOITAITON
KillChainPhase.INSTALLATION
NistCategory.DE_CM
Cis18Value.CIS_10
APT18
APT28
APT29
APT33
APT39
APT41
Akira
Axiom
Carbanak
Chimera
Cinnamon Tempest
Dragonfly
FIN10
FIN4
FIN5
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
INC Ransom
Indrik Spider
Ke3chang
LAPSUS$
Lazarus Group
Leviathan
OilRig
POLONIUM
PittyTiger
Play
Sandworm Team
Silence
Silent Librarian
Star Blizzard
Suckfly
Threat Group-3390
Volt Typhoon
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ | 64 | 80 | 80 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
-
https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
-
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
| Integration | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4