Name:AWS SAML Access by Provider User and Principal id:bbe23980-6019-11eb-ae93-0242ac130002 version:3 date:2024-09-30 author:Rod Soto, Splunk status:production type:Anomaly Description:The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs to detect the `AssumeRoleWithSAML` event, analyzing fields such as `principalArn`, `roleArn`, and `roleSessionName`. This activity is significant as it can indicate abnormal access patterns or potential credential hijacking, especially in federated environments using the SAML protocol. If confirmed malicious, this could allow attackers to assume roles and gain unauthorized access to sensitive AWS resources, leading to data breaches or further exploitation. Data_source:
-AWS CloudTrail AssumeRoleWithSAML
search:`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by eventName requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs known_false_positives:Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks. References: -https://www.cisa.gov/uscert/ncas/alerts/aa21-008a -https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html -https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf -https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps drilldown_searches: name:'View the detection results for - "$recipientAccountId$"' search:'%original_detection_search% | search recipientAccountId = "$recipientAccountId$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$recipientAccountId$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$recipientAccountId$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cloud Federated Credential Abuse' asset_type:AWS Federated Account confidence:80 impact:80 message:From IP address $sourceIPAddress$, user agent $userAgent$ has trigged an event $eventName$ for account ID $recipientAccountId$ mitre_attack_id: - 'T1078' observable: name:'sourceIPAddress' type:'IP Address' - role: - 'Attacker' name:'recipientAccountId' type:'Other' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventName' - 'requestParameters.principalArn' - 'requestParameters.roleArn' - 'requestParameters.roleSessionName' - 'recipientAccountId' - 'responseElements.issuer' - 'sourceIPAddress' - 'userAgent' risk_score:64 security_domain:threat
