Query Details
Detecting GOLDEN SAML Attack
Query
// Detecting GOLDEN SAML Attack // https://www.linkedin.com/posts/activity-7197102964581310464-5lwT/ // The AADInternals toolkit can be used to perform a Golden SAML attack. This type of attack involves an adversary gaining privileged access to a network, stealing the AD FS certificate, and then using it to impersonate any user within an organization to gain access to resources across various services that use SAML (Security Assertion Markup Language) for authentication // Custom Defender KQL detection for possible AADInternals toolkit usage: DeviceNetworkEvents | where ActionType == @"HttpConnectionInspected" | extend ConnectInfo = todynamic(AdditionalFields) | extend HttpHost = ConnectInfo.host | where HttpHost contains "any.sts" or HttpHost contains "korvatunturi.fi"
Explanation
This KQL query is designed to detect potential Golden SAML attacks, specifically those that might involve the AADInternals toolkit. Here's a simple summary of what the query does:
- Source Table: It looks at network events from devices (
DeviceNetworkEvents). - Filter by Action Type: It filters these events to only include those where the action type is
HttpConnectionInspected. - Extract Additional Information: It extracts additional connection information and the HTTP host from the event details.
- Filter by Host: It further filters the events to only include those where the HTTP host contains either "any.sts" or "korvatunturi.fi".
In essence, this query is trying to identify network connections that might indicate the use of the AADInternals toolkit for a Golden SAML attack by looking for specific HTTP hosts associated with such activity.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsHttpConnectionInspectedAdditionalFieldsHttpHost
Operators
DeviceNetworkEvents|where==@extend=todynamiccontainsor