[APAC] Dissecting Golden SAML attack attackers used to exploit SUNBURST backdoor

Presented by

Randy Franklin Smith, Sally Vincent, and Dan Kaiser

About this talk

In this on-demand webinar, Randy Franklin Smith briefly introduces you to federation and SAML and how it works in Office 365. Then he will discuss how attackers exploited selected installations of the SUNBURST backdoor to laterally move to the victim organization’s ADFS server and stole its private key. Then, joined by the very knowledgeable security researchers Sally Vincent and Dan Kaiser from LogRhythm Labs, we will show you •How a Golden SAML attack works •Possible ways to mitigate via preventive controls •Methods for detection via SIEM rules and threat hunting •What Office 365 logs do and don’t tell us about federated logins You will see an actual demonstration of an attack by Sally, and we’ll cover the actual event IDs you need to monitor and attempt to correlate from: •Domain controllers •ADFS servers •Office 365 audit log This is a highly technical session we think you will really enjoy and benefit from. Especially because we expect to see a lot more Golden SAML attacks this year. Watch on-demand now!
Related topics:

More from this channel

Upcoming talks (5)
On-demand talks (262)
Subscribers (77322)
LogRhythm helps security teams stop breaches by turning disconnected data and signals into trustworthy insights. From connecting the dots across diverse log and threat intelligence sources to using sophisticated machine learning that spots suspicious anomalies in network traffic and user behavior, LogRhythm accurately pinpoints cyberthreats and empowers professionals to respond with speed and efficiency. With cloud-native and self-hosted deployment flexibility, out-of-the-box integrations, and advisory services, LogRhythm makes it easy to realize value quickly and adapt to an ever-evolving threat landscape. Together, LogRhythm and our customers confidently monitor, detect, investigate, and respond to cyberattacks. Learn more at logrhythm.com