Detect SAML Tokens in Sumo Logic CSE
Adversaries may forge SAML tokens with arbitrary permissions and lifetimes if they possess a valid SAML token-signing certificate. Known as 'Golden SAML,' this attack allows adversaries to authenticate to any service trusting a federated identity provider (IdP) without needing user credentials or MFA. Attackers typically extract the token-signing certificate from AD FS using the Distributed Key Manager (DKM) container in Active Directory, or establish a new rogue federation trust. The SolarWinds/SUNBURST campaign demonstrated this technique at scale, enabling attackers to forge SAML tokens for any cloud identity in Microsoft 365 and Azure AD.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1606 Forge Web Credentials
- Sub-technique
- T1606.002 SAML Tokens
- Canonical reference
- https://attack.mitre.org/techniques/T1606/002/
Sumo Detection Query
_sourceCategory=azure/ad/signin OR _sourceCategory=o365/audit | json auto | where error_code in ("0", "50158", "50074", "50076") or event_action matches "*SAML*" or event_source matches "*ADFS*" | if(matches(event_action, "*ADFSSecretDump*") or matches(event_action, "*Golden SAML*"), "Critical", if(matches(error_code, "0") and !matches(user_agent, "*Microsoft*"), "High", "Medium")) as RiskLevel | stats count by user_principal_name, source_ip, RiskLevel | sort by count descSumo Logic query for T1606.002 detection using source category filters and aggregation. Detects Golden SAML attacks (T1606.002) via three correlated branches. Branch 1 identifies direct ac
Data Sources
Required Tables
False Positives & Tuning
- AD FS service account (computer account ending in $) legitimately reads the DKM container during token issuance — excluded by the computer account filter, but service accounts using user-format names may trigger Branch 1
- Authorized identity administrator converting a managed domain to federated during a planned AD FS deployment or migration — Branch 2 will fire; correlate with change management records
- Legitimate Identity Protection risk events on SAML-federated users traveling internationally or using VPNs — Branch 3 will fire for genuinely suspicious but non-malicious logins
- AD backup tools (e.g., Veeam, Quest Recovery Manager) performing AD object reads may access DKM container objects during full AD backups — verify backup schedules match event timing
- Entra ID Connect Health agent polling federation service health may generate benign AuditLog entries resembling federation changes
Other platforms for T1606.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AD FS DKM Container Enumeration via LDAP
Expected signal: Security Event 4662: Directory Service Object Access — SubjectUserName=<running user>, ObjectName contains 'ADFS' and 'Program Data', Properties contains GUID for thumbnailPhoto {72e39547-7b18-11d1-adef-00c04fd8d5cd}. Requires Directory Service Access auditing enabled and SACL on the DKM container. Sysmon Event 1 will show powershell.exe process creation with the LDAP query command line. Network traffic on port 389 (LDAP) from the test system to the domain controller.
- Test 2AADInternals Token-Signing Certificate Export Simulation
Expected signal: Security Event 4662: Multiple directory service access events for contact objects in the DKM container. PowerShell ScriptBlock Logging Event 4104: logs showing 'AADInternals' and 'Export-AADIntADFSCertificates'. Sysmon Event 1: powershell.exe with AADInternals command line. Sysmon Event 11 (File Create): PFX certificate files written to C:\Temp\adfs_certs_test. Windows Defender may alert on AADInternals as HackTool:PowerShell/AADInternals.
- Test 3Check Current AD FS Token-Signing Certificate Thumbprint
Expected signal: Sysmon Event 1: powershell.exe with 'Get-AdfsCertificate' and 'Token-Signing' in command line. PowerShell ScriptBlock Log Event 4104 showing certificate enumeration. AD FS Auditing Event 411 in Security log may fire indicating certificate-related administrative access. No Event 4662 expected for this test as it reads ADFS configuration via WCF, not LDAP.
- Test 4Unauthorized Federation Trust Addition Simulation (Dry Run)
Expected signal: Azure AD Audit Log entry for 'Get company information' or read-only directory query (may not generate audit event for reads). Sysmon Event 3: Network connection from powershell.exe to login.microsoftonline.com (port 443). PowerShell ScriptBlock Log Event 4104 with 'Get-MsolDomain' and 'Connect-MsolService'. Azure AD Sign-in Log for the authenticating user account connecting via MSOnline module.
References (13)
- https://attack.mitre.org/techniques/T1606/002/
- https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
- https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
- https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
- https://o365blog.com/aadkillchain/
- https://github.com/dirkjanm/adconnectdump
- https://github.com/fireeye/ADFSDump
- https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
- https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md
- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
Unlock Pro Content
Get the full detection package for T1606.002 including response playbook, investigation guide, and atomic red team tests.