attacks using a golden saml or saml assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source ip sourceipaddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.

t1078
aws federated account
splunk

Techniques

T1078

Sample rules

AWS SAML Access by Provider User and Principal

source: splunk
technicques:
- T1078

Description

This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.

Detection logic

`cloudtrail` eventName=Assumerolewithsaml 
| stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|`aws_saml_access_by_provider_user_and_principal_filter`