๐ง๐ต๐ฒ ๐๐ผ๐น๐ฑ๐ฒ๐ป ๐ฆ๐๐ ๐ ๐๐๐๐ฎ๐ฐ๐ธ: ๐ ๐ฆ๐๐ฒ๐ฝ-๐ฏ๐-๐ฆ๐๐ฒ๐ฝ ๐๐๐ถ๐ฑ๐ฒ.
Golden SAML was one of the major techniques used by the threat actor as part of the SolarWinds attack by compromising the SAML signing certificate using their Active Directory privileges.
Golden SAML was one of the major techniques used by the threat actor as part of the SolarWinds attack by compromising the SAML signing certificate using their Active Directory privileges.
An attacker must first gain administrative access to the ADFS server and extract the necessary certificate and private key to successfully leverage Golden SAML.
Once these privileges are obtained, the attack will proceed according to the following steps:
๐๐ป๐ถ๐๐ถ๐ฎ๐น ๐๐ฐ๐ฐ๐ฒ๐๐ ๐ฎ๐ป๐ฑ ๐๐ฒ๐ ๐๐ ๐๐ฟ๐ฎ๐ฐ๐๐ถ๐ผ๐ป: The attacker first accesses the ADFS (Active Directory Federation Services) server and extracts the private key and certificate.
๐ง๐ฎ๐ฟ๐ด๐ฒ๐๐ถ๐ป๐ด ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐ (๐ฒ.๐ด., ๐ ๐ถ๐ฐ๐ฟ๐ผ๐๐ผ๐ณ๐ ๐ข๐ณ๐ณ๐ถ๐ฐ๐ฒ): The user (in this case, the attacker) attempts to access a federated service, such as Microsoft Office.
๐ฅ๐ฒ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐๐ถ๐ผ๐ป ๐ณ๐ผ๐ฟ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป: The Service Provider (SP) redirects the attacker to ADFS for authentication.
๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐๐๐ฝ๐ฎ๐๐ ๐ฎ๐ป๐ฑ ๐๐ผ๐ฟ๐ด๐ฒ๐ฑ ๐ฆ๐๐ ๐ ๐ฅ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ: Hereโs where the โgoldenโ aspect comes into play. The attacker bypasses ADFS #authentication by signing a forged #SAML response using the stolen certificate and key.
๐๐ฎ๐ถ๐ป๐ถ๐ป๐ด ๐๐ฐ๐ฐ๐ฒ๐๐: This forged SAML response is then presented to the desired service, granting the attacker access.
Reco AI-driven platform effectively combats Golden SAML attacks by enhancing visibility and control in SaaS environments, utilizing key features like Identity & Access Governance and SaaS Detection & Response to prevent unauthorized access and certificate exploitation.