CyberArk Software Ltd. researchers developed a new attack technique called Golden SAML that abuses the SAML 2.0 authentication protocol. How does Golden SAML work, and what can be done to mitigate it?
Many different prevention techniques have been devised around centralized authentication to protect user accounts, passwords and systems, including Active Directory (AD), single sign-on and federated identity. Even though passwords, systems and accounts are necessary to protect users and their information, they also introduce new risks.
To demonstrate some of these risks, researchers at CyberArk created a new attack named Golden SAML, which builds on an existing attack. CyberArk used techniques found in Mimikatz and applied them to a federated environment. Mimikatz and similar tools are used to crack or extract passwords and hashes to gain access to targeted systems.
When a user is connecting to a targeted service provider, the Golden SAML technique can be used to forge authentication tokens to make it look like they are coming from a legitimate identity provider (IdP).
The Golden SAML attack needs the token-signing private key from AD to sign the authentication response to the service provider, which tells the service provider that the user was properly authenticated by the IdP. This process can be used against any user. It first requires compromising the AD environment for the IdP, while federated identity relies on service providers and IdPs being secure to provide the secure infrastructure for authentication.
Once Active Directory is compromised, there are many different ways to leverage that access against a target. CyberArk said that this is not a vulnerability in SAML, Active Directory, the IdP or the service provider, but it is another way for an attacker that has domain admin access to achieve their goal.
In order to mitigate the attack, your IdP and AD infrastructure should be secure and monitored for any suspicious access. Unknown binaries shouldn't run on an AD server, and if one is detected, it should be thoroughly investigated immediately.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.