LoFP / attacks using a golden saml or saml assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source ip sourceipaddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.

Techniques

• T1078

Sample rules

AWS SAML Access by Provider User and Principal

• source: splunk
• technicques:
  • T1078

Description

The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs to detect the AssumeRoleWithSAML event, analyzing fields such as principalArn, roleArn, and roleSessionName. This activity is significant as it can indicate abnormal access patterns or potential credential hijacking, especially in federated environments using the SAML protocol. If confirmed malicious, this could allow attackers to assume roles and gain unauthorized access to sensitive AWS resources, leading to data breaches or further exploitation.

Detection logic

`cloudtrail` eventName=Assumerolewithsaml 
| stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|`aws_saml_access_by_provider_user_and_principal_filter`