Read on Twitter
Quick Thread - Golden SAML (I am late to the party, I know) but thought some might find it useful.
Firstly, what is Golden SAML?
One of the major techniques used by the threat actor as part of the SolarWinds attack, was compromising the Security Assertion Markup Language
Firstly, what is Golden SAML?
One of the major techniques used by the threat actor as part of the SolarWinds attack, was compromising the Security Assertion Markup Language
(SAML) signing certificate, using their Active Directory privileges. CISA explained that “once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to
used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs)”
The “Golden SAML” attack technique enables attackers to forge SAML responses and bypass ADFS ( https://docs.miniorange.com/articles/what-is-adfs) authentication
The “Golden SAML” attack technique enables attackers to forge SAML responses and bypass ADFS ( https://docs.miniorange.com/articles/what-is-adfs) authentication
to access federated services. First reported by CyberArk in 2017, the current attack is the first time that this technique is known to have been used “in the wild”.
This isn't something which is new either - CyberArk first wrote about this in 2017 - https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
This isn't something which is new either - CyberArk first wrote about this in 2017 - https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
There are mentions of known issues in SAML as far back as 2005 - https://www.idmworks.com/cyber-security-golden-saml-tool/
So, what do we know now?
Sygnia have a fantastic advisory which contains ways to detect and hunt for Golden SAML attacks - https://www.sygnia.co/golden-saml-advisory
So, what do we know now?
Sygnia have a fantastic advisory which contains ways to detect and hunt for Golden SAML attacks - https://www.sygnia.co/golden-saml-advisory
CyberArk have revisited Golden SAML and its connections to the SolarWinds attack - https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection
CyberArk also released a tool back in 2017 which can be used to exploit Golden SAML - this is useful to check that your detections work - https://github.com/cyberark/shimit
CyberArk also released a tool back in 2017 which can be used to exploit Golden SAML - this is useful to check that your detections work - https://github.com/cyberark/shimit
The NSA recently released this useful advisory which explains how to mitigate and detect abuse of authentication mechanisms. - https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF
There is an BrightTalk from 2018 - https://www.brighttalk.com/webcast/13279/298015/golden-saml-are-the-new-golden-tickets which explains Golden SAML and also how to use the above shimit tool.
There is an BrightTalk from 2018 - https://www.brighttalk.com/webcast/13279/298015/golden-saml-are-the-new-golden-tickets which explains Golden SAML and also how to use the above shimit tool.
There is a Golden SAML research video here from @infenet -
There is a useful thread here - https://twitter.com/MalwareJake/status/1341539076713885697?s=20 which talks about the recently disclosed abuse of SAML by attackers to “bypass” MFA.
There is a useful thread here - https://twitter.com/MalwareJake/status/1341539076713885697?s=20 which talks about the recently disclosed abuse of SAML by attackers to “bypass” MFA.
If I missed anything, please add it to the thread. 
