[APAC] Moving Laterally to O365 Cloud Using a Domain Trust Modification Attack

The months following last December’s SolarWinds SUNBURST supply chain attack have brought forth plenty of intelligence around the tactics, techniques, and processes used to compromise thousands of organization’s networks. The threat actors, dubbed the APT group UNC2452, moved laterally within the victim’s on-premises environment and jumped to their Microsoft 365 tenant. This hybrid movement can occur via a “Golden SAML” attack, that includes the manipulation of the domain federation trust settings in Azure and potentially within the on-premises AD Federated Services deployment (MITRE ATT&CK technique T1484.002 - Domain Trust Modification) by configuring the domain to accept authorization tokens signed by UNC2452’s SAML signing certificate (technique T1606.002 – Forge Web Credentials: SAML tokens). In the first part, Microsoft MVP and cybersecurity expert Nick Cavalancia discusses: - The role of ADFS, domain trusts, and certificates - The value of moving laterally from on-prem to the cloud - The potential impact both for the initial and subsequent attacks Brian Coulson - Threat Research Principal Engineer, Sally Vincent and Dan Kaiser, both Threat Research Senior Engineers all at LogRhythm, then provide multiple perspectives while simulating the attack and exploring log artifacts of the attack from within the LogRhythm SIEM. Brian, Sally, and Dan explore how a malicious actor could add a federated domain to a Microsoft 365 tenant and discuss how the addition of the federated domain will enable the attacker’s progression towards their objectives. They simulate the attack and consider the attack from the standpoint of threat hunter or detection engineer, examining the log artifacts from Azure and on-premises sources. Finally, they demonstrate threat hunting and real time detection of this technique in the LogRhythm SIEM.