Detecting GOLDEN SAML Attack
Query
// Detecting GOLDEN SAML Attack
// https://www.linkedin.com/posts/activity-7197102964581310464-5lwT/
// The AADInternals toolkit can be used to perform a Golden SAML attack. This type of attack involves an adversary gaining privileged access to a network, stealing the AD FS certificate, and then using it to impersonate any user within an organization to gain access to resources across various services that use SAML (Security Assertion Markup Language) for authentication
// Custom Defender KQL detection for possible AADInternals toolkit usage:
DeviceNetworkEvents
| where ActionType == @"HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost contains "any.sts" or HttpHost contains "korvatunturi.fi"
// MITRE ATT&CK Mapping
// Based on the analysis, this query can be associated with the following MITRE ATT&CK techniques:
// T1071.001 - Application Layer Protocol: Web Protocols:
// This technique involves adversaries using web protocols to communicate with compromised systems to avoid detection/network filtering by blending in with normal traffic1.
// T1071 - Application Layer Protocol:
// This broader category includes the use of application layer protocols for command and control1.
// T1040 - Network Sniffing:
// The inspection of HTTP connections can be related to network sniffing, where adversaries capture network traffic to obtain information1.
// T1070.004 - Indicator Removal on Host: File Deletion:
// Although not directly related to the query, inspecting HTTP connections might be part of a broader strategy to detect and prevent adversaries from removing indicators on the host1.Explanation
This query is designed to detect potential Golden SAML attacks, which are a type of cyberattack where an attacker gains unauthorized access to a network by stealing a certificate from Active Directory Federation Services (AD FS). The attacker then uses this certificate to impersonate any user within the organization, allowing them to access various services that use SAML for authentication.
The query specifically looks for network events where HTTP connections are inspected. It checks if the host in these connections contains specific strings ("any.sts" or "korvatunturi.fi"), which might indicate the use of the AADInternals toolkit, a tool that can facilitate such attacks.
The query is mapped to several MITRE ATT&CK techniques:
-
T1071.001 - Application Layer Protocol: Web Protocols: This technique involves using web protocols to communicate with compromised systems, blending in with normal traffic to avoid detection.
-
T1071 - Application Layer Protocol: This broader category includes using application layer protocols for command and control purposes.
-
T1040 - Network Sniffing: The inspection of HTTP connections can be related to network sniffing, where attackers capture network traffic to gather information.
-
T1070.004 - Indicator Removal on Host: File Deletion: Although not directly related to the query, inspecting HTTP connections might be part of a strategy to detect and prevent attackers from removing evidence of their activities on the host.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators