I was fascinated when I read during the Solorigate attack that an adversary utilized Golden SAML to gain access to Azure and Office 365 cloud resources. At the time, I was developing an adversary emulation for a blue team capture the flag event and I decided I should make this a key pillar of the emulation so others could experience it. If you’re like me, you have spent some portion of your career working with events generated from on-premise systems. With the move toward the cloud, I noticed that logs that I took for granted and expected to have were no longer available. There is a lot of great content around the Golden SAML attack, but less focus has been paid to the visibility that a defender has once the signing key has been extracted. The intent of this talk is to drive greater awareness of what the defender will see (and more importantly what they will not see) when a signing key certificate is extracted, a SAML token is forged and an access token is utilized in an Azure AD / M365 environment. Attendees will come away with A better understanding of what a Golden SAML attack looks like A greater awareness of what they will have available for analysis from Azure AD and Office 365 logging Ideas for detections that can be applied to monitor for these kinds of activities.SANS DFIR Summit 2023
Speaker: John Stoner, Global Principal Security Strategist, Google Cloud
View upcoming Summits:
Музыка
Фильмы
ТВ Шоу
Категории видео
