Analytics Story: Cloud Federated Credential Abuse
Description
This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.
Why it matters
This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
AWS CloudTrail AssumeRoleWithSAML | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail UpdateSAMLProvider | AWS | aws:cloudtrail |
aws_cloudtrail |
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
O365 | N/A | o365:management:activity |
o365 |
O365 Add app role assignment grant to user. | N/A | o365:management:activity |
o365 |
O365 UserLoginFailed | N/A | o365:management:activity |
o365 |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 12 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 13 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 7 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
Source: GitHub | Version: 1