Dissecting the Golden SAML Attack Used by Attackers Exploiting SUNBURST Backdoor

Logo
Presented by

Randy Franklin Smith, Sally Vincent, and Dan Kaiser

About this talk

In this on-demand webinar, Randy Franklin Smith briefly introduces you to federation and SAML and how it works in Office 365. Then he will discuss how attackers exploited selected installations of the SUNBURST backdoor to laterally move to the victim organization’s ADFS server and stole its private key. Then, joined by the very knowledgeable security researchers Sally Vincent and Dan Kaiser from LogRhythm Labs, we will show you •How a Golden SAML attack works •Possible ways to mitigate via preventive controls •Methods for detection via SIEM rules and threat hunting •What Office 365 logs do and don’t tell us about federated logins You will see an actual demonstration of an attack by Sally, and we’ll cover the actual event IDs you need to monitor and attempt to correlate from: •Domain controllers •ADFS servers •Office 365 audit log This is a highly technical session we think you will really enjoy and benefit from. Especially because we expect to see a lot more Golden SAML attacks this year. Watch on-demand now!

Related topics:

More from this channel

Upcoming talks (1)
On-demand talks (202)
Subscribers (67863)
LogRhythm helps busy and lean security operations teams save the day—day after day. There’s a lot riding on the shoulders of security professionals—the reputation and success of their company, the safety of citizens and organizations across the globe, the security of critical resources—the weight of protecting the world. LogRhythm helps lighten this load. The company is on the frontlines defending against many of the world’s most significant cyberattacks and empowers security teams to navigate an ever-changing threat landscape with confidence. As allies in the fight, LogRhythm combines a comprehensive and flexible security operations platform, technology partnerships, and advisory services to help SOC teams close the gaps.