How does one detect and deter golden SAML attacks?

Question

How does one defend, detect and deter golden SAML attacks?

Related: https://security.stackexchange.com/questions/242146/solarwinds-orion-saml-compromise-mass-cert-update — explunit, Jan 21 '21 at 15:44

score 1 · Answer 1 · edited Jan 22 '21 at 20:07

Several methods could be used to detect'em:

Correlating service provider login events with corresponding authentication events in ADFS and Domain Controllers
Identifying certificate export events in Active Directory Federation Services
Customizing SAML response to identify irregular access
Detecting malicious Ative Directory Federation Services trust modification

Those methods are well documented here

And for mitigation, the best you could do is following best practice guides and recommendations, Microsoft provides an excellent resource for doing this.

FireEye published a well-detailed paper on the attack and provides some extra guidance on ADFS attack mitigation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

If not using ADFS this should help.

How does one detect and deter golden SAML attacks?

1 Answers1