Adversaries apply a malicious Golden SAML method to expand a scale of compromise related to the SolarWinds hack. Although security researchers initially considered that the SolarWinds Orion software was a single access vector, further investigation reveals that the Golden SAML technique allows achieving persistence on any instance within a targeted cloud environment that maintains SAML authentication (for example, Azure or AWS).
The Golden SAML method was discovered and described in 2017 by CyberArc researchers. Particularly, it abuses SAML 2.0 (Security Assertion Markup Language) protocol that serves as a core standard for single sign-on (SSO) procedures across all organizational assets supporting Active Directory Federation Services (ADFS). Such services might include apps for business intelligence, cloud storages (e.g. Sharepoint), time and attendance systems, email services, which are notable points of interest for threat actors. And SAML 2.0, in its turn, enables comfortable authorization for all these apps inside the federation via a standard set of login data tied to the federated identity.
At the first stage of Golden SAML intrusion, cyber-criminals achieve admin level rights on the organizational ADFS server. This is required to obtain a SAML private key and a dedicated certificate to sign tokens. Further attackers wait until an employee inside the compromised environment attempts to log in to the federated service (Microsoft 365, vSphere, or else). During the login process, the service sends AuthnRequest to ADFS and waits until it returns with a signed SAML response or token. In case the response is valid, the service confirms the login. However, during the Golden SAML routine, adversaries falsify the SAML response via a snatched private key, which allows them to penetrate the organizational assets. It worth noting that the access would last continuously up till the ADFS private key is considered invalid. And that is a long-lasting period since private key replacement presumes a complex procedure. As a result of the successful Golen SAML attack, threat actors gain persistent access to the network anytime, from any location, and with privileges of their choice. It works even in case two-factor authentication (2FA) is enabled, or if a victim changes the login details.
The SolarWinds incident became the first-ever occasion where the Golden SAML method was used in the wild. The US Cybersecurity Information Security Agency (CISA) indicates that the SolarWind Orion platform compromise might not be a single access point during the supply-chain attack. Security researchers support this statement and believe the Golden SAML technique might have been used simultaneously to penetrate a large number of institutions. In particular, Microsoft’s guidelines note an increased malicious activity from a nation-state APT actor aimed at high-profile targets both in the public and private sectors. This activity is associated with Golden SAML and results in persistent access to networks and further reconnaissance throughout compromised environments. Therefore, vendors are urged to cut off their SolarWinds instances and are restricted to set up SolarWinds software for SAML-based authentication via ADFS.
The intrusion is hard to identify, which gave adversaries valuable time to compromise highly sensitive data. Therefore, the SOC Prime team developed a list of Golden SAML Sigma rules. Check the links below to download the rules and be ready to detect malicious activity on time.
Possible Golden SAML Attack Patterns (via sysmon)
Possible Golden SAML Attack Patterns (via audit)
Possible Golden SAML Attack Patterns (via powershell)
Possible Golden SAML Attack Patterns (via cmdline)
On January 15, 2021, we released two more SOC content items that contribute to the Golden SAML attack detection. Check out fresh Sigma rules from our Threat Bounty developer Sittikorn Sangrattanapitak to stay safe.
Certificate Exports on ADFS Server Detected (via name pipe)
Certificate Exports on ADFS Server Detected (via application)
Updates from January 20, 2021
ADFS Distributed Key Manager Access Requests [possible a part of Golden SAML Attack] (via audit)
Trusted Domains Modification [possible a part of Golden SAML Attack] (via azuread)
Query the Secrets DKM (Distributed Key Manager) Value [possible a part of Golden SAML Attack] (via cmdline)
Updates from January 21, 2021:
ADFS Trust Modification Detection
Subscribe to the Threat Detection Marketplace to reach more than 81,000 SOC content items applicable to the majority of SIEM and EDR solutions. Also, feel free to join our Threat Bounty program to develop your own threat hunting content!