As more information about a potential end goal comes to light, recent guidance concerning protecting SAML tokens from both the NSA and Microsoft becomes a higher priority. Gaining a clear picture of who has authorization to different cloud resources is as important as on-premise resources. Managing authorized user activity, following the recommended guidance around SAML, and building detections for anomalous user activity can enable an organization to protect themselves better. One way for threat hunters to detect “Golden SAML” attacks is to compare the security events from the Active Directory Federation Server (ADFS) event ID 1200 and 1202 to the corresponding cloud service provider logs, and note any discrepancies in which the cloud service provider showed a federated authentication, but there was no matching event 1200 and 1202 from the ADFS. That could indicate that a SAML request was forged by an attacker, rather than issued by the ADFS after a successful authentication. Another method that attackers can use to impersonate users is to add a new trusted ADFS domain. To monitor that, look for event ID 307 in the ADFS logs to find federation service configuration change events, and correlate with event ID 510 using the same instance ID to find “Configuration: Type: IssuanceAuthority” where the domain listed as the new authority is unauthorized. Resources for further learning are listed below.
Resources and References:
Using Microsoft 365 Defender to protect against Solorigate
NSA warns of hackers forging cloud authentication information
Detecting Abuse of Authentication Mechanisms (NSA)