forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloud_federated_credential_abuse.yml
31 lines (31 loc) · 1.61 KB
/
cloud_federated_credential_abuse.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: Cloud Federated Credential Abuse
id: cecdc1e7-0af2-4a55-8967-b9ea62c0317d
version: 1
date: '2021-01-26'
author: Rod Soto, Splunk
description: This analytical story addresses events that indicate abuse of cloud federated
credentials. These credentials are usually extracted from endpoint desktop or servers
specially those servers that provide federation services such as Windows Active
Directory Federation Services. Identity Federation relies on objects such as Oauth2
tokens, cookies or SAML assertions in order to provide seamless access between cloud
and perimeter environments. If these objects are either hijacked or forged then
attackers will be able to pivot into victim's cloud environements.
narrative: This story is composed of detection searches based on endpoint that addresses
the use of Mimikatz, Escalation of Privileges and Abnormal processes that may indicate
the extraction of Federated directory objects such as passwords, Oauth2 tokens,
certificates and keys. Cloud environment (AWS, Azure) related events are also addressed
in specific cloud environment detection searches.
references:
- https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
tags:
analytic_story: Cloud Federated Credential Abuse
category:
- Cloud Security
usecase: Security Monitoring
product:
- Splunk Security Analytics for AWS
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud