Analytics Story: Cloud Federated Credential Abuse

Date: 2021-01-26 ID: cecdc1e7-0af2-4a55-8967-b9ea62c0317d Author: Rod Soto, Splunk Product: Splunk Enterprise Security

Description

This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.

Why it matters

This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
AWS SAML Access by Provider User and Principal Valid Accounts Anomaly
AWS SAML Update identity provider Valid Accounts TTP
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 New Federated Domain Added Cloud Account, Create Account TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP
Certutil exe certificate extraction None TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail AssumeRoleWithSAML AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail UpdateSAMLProvider AWS icon AWS aws:cloudtrail aws_cloudtrail
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
O365 N/A o365:management:activity o365
O365 Add app role assignment grant to user. N/A o365:management:activity o365
O365 UserLoginFailed N/A o365:management:activity o365
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1