Loading Events

« All Events

  • This event has passed.

Dissecting Golden SAML attack attackers used to exploit SUNBURST backdoor [APAC]

May 12

Dissecting the Golden SAML Attack Used by Attackers Exploiting the SUNBURST Backdoor

In this on-demand webinar, Randy Franklin Smith briefly introduces you to federation and SAML and how it works in Office 365. Then he will discuss how attackers exploited selected installations of the SUNBURST backdoor to laterally move to the victim organization’s ADFS server and stole its private key.

Then, joined by the very knowledgeable security researchers Sally Vincent and Dan Kaiser from LogRhythm Labs, we will show you
•How a Golden SAML attack works
•Possible ways to mitigate via preventive controls
•Methods for detection via SIEM rules and threat hunting
•What Office 365 logs do and don’t tell us about federated logins

You will see an actual demonstration of an attack by Sally, and we’ll cover the actual event IDs you need to monitor and attempt to correlate from:
•Domain controllers
•ADFS servers
•Office 365 audit log

This is a highly technical session we think you will really enjoy and benefit from. Especially because we expect to see a lot more Golden SAML attacks this year.

Presented by
Randy Franklin Smith, Sally Vincent, and Dan Kaiser

Comments are closed.