SAML Tokens

Information

• Name: SAML Tokens

• ID: T1606.002

• Tactics: TA0006

• Technique: T1606

Introduction

The MITRE ATT&CK sub-technique "SAML Tokens (T1606.002)" falls under the broader category of "Forge Web Credentials." Attackers exploit Security Assertion Markup Language (SAML) tokens to gain unauthorized access to services or resources by forging or manipulating authentication assertions. SAML tokens are widely used in federated authentication systems, making them a valuable target for attackers aiming to escalate privileges or maintain persistence within enterprise environments.

Deep Dive Into Technique

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). SAML tokens contain assertions about user identity, attributes, and access privileges. Attackers may exploit vulnerabilities or misconfigurations in SAML implementations to forge or manipulate these tokens, granting unauthorized access.

Common execution methods include:

• Golden SAML Attack:

  • Attackers compromise the private signing key of a trusted Identity Provider (IdP).

  • Using this key, attackers create valid SAML authentication assertions, impersonating any user without needing the user's credentials.

  • This attack bypasses traditional authentication mechanisms, allowing persistent, stealthy access.

• Token Manipulation and Replay:

  • Attackers intercept legitimate SAML assertions during transmission.

  • Captured tokens are replayed or modified to impersonate legitimate users.

  • Attackers exploit insufficient replay protection or weak validation mechanisms.

Technical mechanisms leveraged:

• Compromise of IdP servers or signing keys.

• XML signature wrapping attacks.

• XML External Entity (XXE) vulnerabilities in SAML parsing libraries.

• Misconfigured or weakly protected SAML endpoints.

Real-world procedures involved:

• Initial reconnaissance to identify federation services and IdP infrastructure.

• Exploitation or compromise of IdP servers to extract private keys.

• Creation of forged assertions using specialized tools or scripts.

• Using forged tokens to authenticate to cloud services, email servers, or other federated applications.

When this Technique is Usually Used

Attackers typically employ SAML token forgery in the following scenarios and stages:

• Privilege Escalation:

  • Attackers escalate privileges by impersonating high-privileged users such as administrators or executives.

• Persistence:

  • Forged tokens enable long-term, stealthy access to sensitive resources without requiring repeated credential theft.

• Lateral Movement:

  • Attackers use forged tokens to access multiple federated services and resources across organizational boundaries.

• Credential Access:

  • Attackers leverage forged assertions to bypass multi-factor authentication (MFA) protections implemented via federated authentication.

• Cloud Infrastructure Attacks:

  • Commonly used against cloud providers and services relying on federated authentication, such as Microsoft Azure AD, AWS, Google Workspace, and Office 365.

How this Technique is Usually Detected

Detection methods and tools include:

• Monitoring and Logging:

  • Enable detailed logging on IdP and SP systems to capture authentication events and anomalies.

  • Monitor unusual authentication patterns, such as unexpected user logins from unknown IP addresses or unusual geographic locations.

• Signature Validation and Auditing:

  • Regularly audit XML signature validation processes to detect invalid or suspicious assertions.

  • Implement strict validation rules to detect forged or manipulated assertions.

• Behavioral Analytics:

  • Employ User and Entity Behavior Analytics (UEBA) solutions to detect anomalous user behavior patterns, including unusual login times, frequencies, or locations.

• Endpoint Detection and Response (EDR):

  • Deploy EDR solutions to detect compromise of IdP servers or unauthorized access to private signing keys.

• Indicators of Compromise (IoCs):

  • Unusual or unexpected SAML assertions signed by legitimate IdP keys.

  • Authentication logs showing user logins without corresponding legitimate user actions.

  • Detection of unauthorized access to IdP infrastructure or extraction of private keys.

  • XML parsing errors or anomalies indicating attempted XML signature wrapping or XXE attacks.

Why it is Important to Detect This Technique

Early detection of forged or manipulated SAML tokens is critical due to the following potential impacts:

• Unauthorized Access:

  • Attackers gain unauthorized access to sensitive corporate resources, potentially leading to data breaches, intellectual property theft, or espionage.

• Privilege Escalation and Persistence:

  • Attackers can escalate privileges and maintain persistent access to enterprise resources, complicating remediation efforts.

• Bypassing Multi-Factor Authentication:

  • Forged SAML tokens can bypass MFA protections, undermining advanced security controls and increasing organizational risk.

• Compliance and Regulatory Issues:

  • Failure to detect and respond promptly can lead to regulatory non-compliance, fines, legal consequences, and reputational damage.

• Operational Disruption:

  • Compromise of federated authentication infrastructure can disrupt business operations, causing downtime and financial losses.

Detecting this technique early minimizes exposure, reduces remediation complexity, and mitigates potential damage to organizational assets and reputation.

Examples

Real-world examples demonstrating the use of forged SAML tokens:

• SolarWinds Supply Chain Attack (2020):

  • Attackers compromised federated identity infrastructure and stole private signing keys to create forged SAML tokens.

  • Using "Golden SAML," attackers gained persistent access to cloud resources, including email accounts and cloud applications.

  • Tools and methods used included compromised IdP keys, custom-crafted SAML assertions, and stealthy lateral movement techniques.

• APT29 (Cozy Bear) Attacks:

  • Russian-linked APT29 leveraged forged SAML assertions to access cloud services, bypassing MFA protections.

  • Attackers compromised IdP infrastructure, extracted private keys, and created valid authentication tokens.

  • Impact included unauthorized access to sensitive communications, email accounts, and confidential data.

• Golden SAML Toolkits and Scripts:

  • Attackers have developed publicly available scripts and toolkits to simplify the creation and use of forged SAML tokens.

  • Examples include open-source scripts demonstrating proof-of-concept Golden SAML attacks, facilitating easier exploitation by threat actors.

These examples illustrate the critical need for robust detection and mitigation strategies to protect federated authentication infrastructure from SAML token forgery attacks.