The Mechanics of Golden SAML

The recent compromise at SolarWinds and subsequent targeting of numerous other organizations have focused attention on an Active Directory Federation Services (ADFS) bypass technique called “Golden SAML.” In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, etc.) with any privileges and be any user on the targeted application. This technique was first disclosed by CyberArk in 2017.

What is SAML?

The SAML protocol, or Security Assertion Markup Language, is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML enables Single-Sign On (SSO), meaning users can log in once, and those same credentials can be reused to log into other service providers.

How does it work, you ask? The basic construct is that when a client tries to authenticate with a service provider, they are redirected to an authentication server. Once authenticated, they are provided a cryptographically-signed response that the client provides back to the service provider. Once received, the response is validated thanks to the magic of cryptography.

Here is a nice flow chart from Sygnia:


(Image credited to Sygnia)

Enter: Golden SAML

As with anything, there are some inherent weaknesses in the protocol that can be exploited. The “Golden SAML” attack vector enables an attacker to create a forged SAML “authentication object” and authenticate across every service that uses SAML 2.0 protocol as an SSO mechanism.

This attack vector was first described back in a 2017 blog post by CyberArk. Basically, there are a few things an adversary needs to figure out in order to  use this technique. First, they need access to the certificates used to sign the SAML objects. This generally means they need a foothold into the network and privileged access to extract the certificates. Multiple tools are available that will help extract the needed certificates, including certutil.exe, PowerShell, ADFSDump, and of course Mimikatz.

Sygnia has another great visual of what a Golden SAML attack looks like.

(Image credited to Sygnia)

Now that the adversary has access to the extracted certificates, they can impersonate virtually any user and privilege within an organization. They can also do it from anywhere in the world. Additionally, the adversary will be able to bypass Multi-Factor Authentication (MFA) protections because the actual authentication server is being removed from the process entirely.

Mitigations

Always follow best practice guides and recommendations. If you are using Active Directory Federated Services (ADFS), Microsoft provides an excellent resource for securing it. Considering how critical ADFS is, implementing as many security measures as possible is highly recommended. In particular, leverage a Hardware Security Module (HSM) for generating and storing certificates. HSM has the added benefit of securely storing keys and all cryptographic functions on a physical device, negating the ability for an adversary to extract the private key. Other mitigations include correlating login events with corresponding ADFS authentication events and identifying events involving the export of signing certificate from the ADFS server.

 

Sources:
  1. https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
  2. https://www.sygnia.co/golden-saml-advisory
  3. https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

Freedom’s Forge: A Look Back at American Industry in WWII

Recently I have been working my way through “Freedom’s Forge: How American Business Produced Victory in WWII” by Dr. Arthur Herman. In it, Dr. Herman tells the story of how U.S. business leaders were mobilized to build ships, tanks and weapons faster (and better) than the enemy, leading to victory in WWII. It is a biography of the “arsenal of democracy”, necessary in understanding the link between the US during the great depression and the post-war economic boom.

In 1941, when Roosevelt announced plans to build 50,000 planes a year, Hitler scoffed, saying: “What is America, but beauty queens, millionaires, stupid records, and Hollywood?” But, by the war’s end, Mr. Herman notes, “American businessmen, engineers, production managers, and workers both male and female” had turned out two-thirds of all the military equipment used by the Allies in World War II, including 286,000 warplanes, 86,000 tanks, 8,800 naval vessels, 2.6 million machine guns “and 41 billion rounds of ammunition.”

Holy cow. Imagine what must have been involved in manufacturing 286,000 airplanes, 86,000 thanks, and 8,800 naval vessels.

This monumental output of materiel came as a result of a profound transformation of the American economy, engineered in part by Bill Knudsen (General Motors) and Henry Kaiser (Kaiser Industries). Knudsen was a manufacturing genius who designed the plants and production lines for both Henry Ford and Alfred Sloan of General Motors. Kaiser, on the other hand, was a shipbuilder who had been one of the main contractors for the Hoover Dam. The two were vastly different (and didn’t like each other), but worked together to revolutionize American industry.

I am about 1/3 of the way through the book right now; this is a great read for anyone interested in how American businesses shifted from the consumer economy to wartime production during WWII.

Thoughts on Ransomware

Lately I’ve been interested in ransomware and, to an extent, criminal psychology.  Reports of ransomware have been all over the news, with city governments and public institutions being increasingly targeted. And why not? As far as financially motivated cybercrimes go, it is a very lucrative model. Breaking into a computer is comparatively easy to finding a way to monetize stolen data. Stolen credit cards can be cancelled. Hiding profits from the police can be hard. Financial intermediaries often leave a money trail.

What is clever (albeit devious) about the ransomware model is that it is able to generate profit from data that would otherwise be worthless on the dark web. Will criminals pay top dollar on an underground forum for your puppy photos, files, recipe collection, or family video clips? Doubtful (unless it is Wyatt, but I digress). The very same data that would be worthless to most criminals is of immense value to the people it belongs to. Ransomware exploits this by selling data back to the only person in the world for which it has value.

It is difficult to combat – individuals must bear the costs directly. And it is going to get worse as criminals start to target other industry sectors. How do we combat it? The encrypting variants are the worst culprits because they will encrypt and lock your files – unless you have a backup, you are SOL (sorry). Keep your PC up to date. Ensure you have an active fire wall. Turn OFF Adobe Flash. Don’t open questionable links. Backup your data often – the best bet is to invest in an external hard drive that can be detached and isolated.

These are short term solutions. I am still thinking about long-term ways to combat this threat – chime in if you have some ideas.

Monitoring DNS Requests

I love PowerShell – what can’t it do? A friend of mine referred me to this article on how to monitor DNS requests with PowerShell, so of course I needed to investigate. Traditionally, Sysmon is the go-to for monitoring Windows hosts, but as Mr. Vassallo points out, this solution relies on reverse DNS lookups for IP address translation.

What?

Ok let’s back up. DNS monitoring is important because it provides valuable information during an incident response investigation. The hostname-IP address mappings help to characterize traffic observations, and the server’s IP address can be useful to identify clients that make direct requests to servers outside the environment.  For threat intelligence, DNS logging can be used to flag heavy query activity for newly-registered domains or identifying a newly-observed domain.

The problem with reverse DNS is that the owner of the IP address is in charge of reverse DNS, not the owner of the domain the IP resolves to. Anybody who has control over reverse DNS for an IP address block can make the address reverse resolve to “kdahl.io” (or localhost).

If you are using reverse DNS, then you also need to be aware that whoever operates the authoritative name server for that IP address will learn of your requests. And don’t forget to make sure that you sanitize and properly encode reverse DNS results before using them – never ever treat them as trusted.