InfoTechTarget and Informa Tech's Digital Businesses Combine.

Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.

Moving Laterally to the O365 Cloud Using a Domain Trust Modification Attack

Presented by

Nick Cavalancia, Dan Kaiser, Brian Coulson, and Sally Vincent

About this talk

The months following last December’s SolarWinds SUNBURST supply chain attack have brought forth plenty of intelligence around the tactics, techniques, and processes used to compromise thousands of organization’s networks. The threat actors, dubbed the APT group UNC2452, were able to not just move laterally within the victim’s on-premises environment, but also jumped from on-prem to their Microsoft 365 tenant. This hybrid movement can occur via a “Golden SAML” attack, that includes the manipulation of the domain federation trust settings in Azure and potentially within the on-premises AD Federated Services deployment (MITRE ATT&CK technique T1484.002 - Domain Trust Modification) by configuring the domain to accept authorization tokens signed by UNC2452’s SAML signing certificate (technique T1606.002 – Forge Web Credentials: SAML tokens). In this on-demand webinar, Microsoft MVP and cybersecurity expert Nick Cavalancia will first discuss: - The role of ADFS, domain trusts, and certificates - The value of moving laterally from on-prem to the cloud - The potential impact both for the initial and subsequent attacks Nick is then joined by Brian Coulson - Threat Research Principal Engineer, Sally Vincent – Threat Research Senior Engineer, and Dan Kaiser – Threat Research Senior Engineer all at LogRhythm, who provide multiple perspectives while simulating the attack and exploring the log artifacts of the attack from within the LogRhythm SIEM. Brian, Sally, and Dan will explore how a malicious actor could add a federated domain to a Microsoft 365 tenant and discuss how the addition of the federated domain will enable the attacker’s progression towards their objectives. They will simulate the attack and then consider the attack from the standpoint of threat hunter or detection engineer, examining the log artifacts from Azure and on-premises sources. Finally, they will demonstrate threat hunting and real time detection of this technique in the LogRhythm SIEM.
Exabeam

Exabeam

82477 subscribers67 talks
Better Security. Faster Results.
Exabeam is a leader in intelligence and automation that powers security operations for the world’s smartest companies. As a global cybersecurity leader, Exabeam provides industry-proven, security-focused, and flexible solutions for faster, more accurate threat detection, investigation, and response (TDIR). Cutting-edge technology enhances security operations center performance, optimizing workflows and accelerating time to resolution. With consistent leadership in AI innovation and a proven track record in security information and event management (SIEM) and user behavior analytics, Exabeam empowers global security teams to combat cyberthreats, mitigate risk, and streamline operations. Learn more at www.exabeam.com.
Related topics
Cyber Security
SIEM
Threat Detection
Threat Hunting
Microsoft
Attack Vectors
Cyber Attacks
Cloud
Security
IT Security