Try in Splunk Security Cloud

Description

This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim’s cloud environements.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-01-26
  • Author: Rod Soto, Splunk
  • ID: cecdc1e7-0af2-4a55-8967-b9ea62c0317d

Narrative

This story is composed of detection searches based on endpoint that addresses the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate the extraction of Federated directory objects such as passwords, Oauth2 tokens, certificates and keys. Cloud environment (AWS, Azure) related events are also addressed in specific cloud environment detection searches.

Detections

Name Technique Type
AWS SAML Access by Provider User and Principal Valid Accounts Anomaly
AWS SAML Update identity provider Valid Accounts TTP
Certutil exe certificate extraction   TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 New Federated Domain Added Cloud Account, Create Account TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP

Reference

source | version: 1