- This event has passed.
Dissecting Golden SAML attack attackers used to exploit SUNBURST backdoor [APAC]
In this on-demand webinar, Randy Franklin Smith briefly introduces you to federation and SAML and how it works in Office 365. Then he will discuss how attackers exploited selected installations of the SUNBURST backdoor to laterally move to the victim organization’s ADFS server and stole its private key.
Then, joined by the very knowledgeable security researchers Sally Vincent and Dan Kaiser from LogRhythm Labs, we will show you
•How a Golden SAML attack works
•Possible ways to mitigate via preventive controls
•Methods for detection via SIEM rules and threat hunting
•What Office 365 logs do and don’t tell us about federated logins
You will see an actual demonstration of an attack by Sally, and we’ll cover the actual event IDs you need to monitor and attempt to correlate from:
•Office 365 audit log
This is a highly technical session we think you will really enjoy and benefit from. Especially because we expect to see a lot more Golden SAML attacks this year.
Randy Franklin Smith, Sally Vincent, and Dan Kaiser