Detect SAML Tokens in Splunk
Adversaries may forge SAML tokens with arbitrary permissions and lifetimes if they possess a valid SAML token-signing certificate. Known as 'Golden SAML,' this attack allows adversaries to authenticate to any service trusting a federated identity provider (IdP) without needing user credentials or MFA. Attackers typically extract the token-signing certificate from AD FS using the Distributed Key Manager (DKM) container in Active Directory, or establish a new rogue federation trust. The SolarWinds/SUNBURST campaign demonstrated this technique at scale, enabling attackers to forge SAML tokens for any cloud identity in Microsoft 365 and Azure AD.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1606 Forge Web Credentials
- Sub-technique
- T1606.002 SAML Tokens
- Canonical reference
- https://attack.mitre.org/techniques/T1606/002/
SPL Detection Query
| union
(
search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4662
| eval ObjectName_lc=lower(ObjectName)
| eval Properties_lc=lower(Properties)
| where (match(ObjectName_lc, "adfs") AND match(ObjectName_lc, "program data"))
OR match(ObjectName_lc, "cryptopolicy")
OR match(Properties_lc, "thumbnailphoto")
OR match(Properties_lc, "72e39547-7b18-11d1-adef-00c04fd8d5cd")
| where NOT match(SubjectUserName, "\\$$")
| eval DetectionBranch="DKM_Container_Access"
| eval RiskScore=90
| eval Summary=SubjectUserName." accessed AD FS DKM container: ".ObjectName
| table _time, host, SubjectUserName, SubjectDomainName, ObjectName, OperationType, Properties, DetectionBranch, RiskScore, Summary
)
| append
[
search index=azure sourcetype="azure:aad:auditlogs"
(operationName="Set domain authentication" OR operationName="Set federation settings on domain" OR operationName="Add unverified domain" OR operationName="Add verified domain")
result=success
| eval modifiedProps=mvjoin(modifiedProperties{}.newValue, ", ")
| where match(lower(modifiedProps), "federat") OR match(lower(operationName), "federat")
| eval DetectionBranch="Federation_Trust_Modified"
| eval RiskScore=95
| eval ActorUPN=coalesce(initiatedBy.user.userPrincipalName, initiatedBy.app.displayName, "unknown")
| eval Summary=ActorUPN." modified federation trust: ".operationName
| table _time, ActorUPN, operationName, targetResources{}.displayName, modifiedProps, DetectionBranch, RiskScore, Summary
]
| append
[
search index=azure sourcetype="azure:aad:signinlogs" authenticationProtocol=saml20
(riskLevelDuringSignIn=high OR riskLevelDuringSignIn=medium OR riskState=atRisk OR riskState=confirmedCompromised)
| eval DetectionBranch="Anomalous_SAML_Signin"
| eval RiskScore=case(riskLevelDuringSignIn=="high" OR riskState=="confirmedCompromised", 85,
riskLevelDuringSignIn=="medium" OR riskState=="atRisk", 65,
true(), 50)
| eval GeoInfo=location.city.", ".location.countryOrRegion
| eval Summary=userPrincipalName." SAML sign-in to ".appDisplayName." from ".ipAddress." (".GeoInfo.")"
| table _time, userPrincipalName, appDisplayName, ipAddress, GeoInfo, riskLevelDuringSignIn, riskState, DetectionBranch, RiskScore, Summary
]
| eval SortTime=_time
| sort - RiskScore, - SortTimeDetects Golden SAML attacks using three appended search branches in Splunk. Branch 1 uses WinEventLog:Security Event 4662 to identify unauthorized reads of the AD FS DKM (Distributed Key Manager) container in Active Directory, where token-signing certificates are stored as encrypted contact object attributes (thumbnailPhoto). Branch 2 uses azure:aad:auditlogs to detect federation trust creation or modification operations with federated settings in Azure AD. Branch 3 uses azure:aad:signinlogs to identify high/medium risk SAML 2.0 sign-in events that may indicate forged token usage. Results are unified and sorted by risk score.
Data Sources
Required Sourcetypes
False Positives & Tuning
- AD FS service computer accounts (name ending in $) accessing DKM during normal token issuance — these are excluded by the SubjectUserName filter but verify exclusion is working
- Authorized identity administrators performing planned federation deployments or migrations to cloud services — correlate with approved change tickets
- Identity Protection false positives on SAML-federated accounts using legitimate VPNs or travelling internationally
- AD backup solutions performing deep AD attribute reads on program data containers
- Azure AD Connect cloud sync operations that may appear as federation-related audit events during directory sync configuration
Other platforms for T1606.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AD FS DKM Container Enumeration via LDAP
Expected signal: Security Event 4662: Directory Service Object Access — SubjectUserName=<running user>, ObjectName contains 'ADFS' and 'Program Data', Properties contains GUID for thumbnailPhoto {72e39547-7b18-11d1-adef-00c04fd8d5cd}. Requires Directory Service Access auditing enabled and SACL on the DKM container. Sysmon Event 1 will show powershell.exe process creation with the LDAP query command line. Network traffic on port 389 (LDAP) from the test system to the domain controller.
- Test 2AADInternals Token-Signing Certificate Export Simulation
Expected signal: Security Event 4662: Multiple directory service access events for contact objects in the DKM container. PowerShell ScriptBlock Logging Event 4104: logs showing 'AADInternals' and 'Export-AADIntADFSCertificates'. Sysmon Event 1: powershell.exe with AADInternals command line. Sysmon Event 11 (File Create): PFX certificate files written to C:\Temp\adfs_certs_test. Windows Defender may alert on AADInternals as HackTool:PowerShell/AADInternals.
- Test 3Check Current AD FS Token-Signing Certificate Thumbprint
Expected signal: Sysmon Event 1: powershell.exe with 'Get-AdfsCertificate' and 'Token-Signing' in command line. PowerShell ScriptBlock Log Event 4104 showing certificate enumeration. AD FS Auditing Event 411 in Security log may fire indicating certificate-related administrative access. No Event 4662 expected for this test as it reads ADFS configuration via WCF, not LDAP.
- Test 4Unauthorized Federation Trust Addition Simulation (Dry Run)
Expected signal: Azure AD Audit Log entry for 'Get company information' or read-only directory query (may not generate audit event for reads). Sysmon Event 3: Network connection from powershell.exe to login.microsoftonline.com (port 443). PowerShell ScriptBlock Log Event 4104 with 'Get-MsolDomain' and 'Connect-MsolService'. Azure AD Sign-in Log for the authenticating user account connecting via MSOnline module.
References (13)
- https://attack.mitre.org/techniques/T1606/002/
- https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
- https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
- https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
- https://o365blog.com/aadkillchain/
- https://github.com/dirkjanm/adconnectdump
- https://github.com/fireeye/ADFSDump
- https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
- https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md
- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
Unlock Pro Content
Get the full detection package for T1606.002 including response playbook, investigation guide, and atomic red team tests.