Skip to main content
Splunk Lantern

Detecting cloud federated credential abuse in Windows

You need to be able to detect events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktops or servers that provide federation services such as Windows Active Directory Federation Services. Identity federation relies on objects such as Oauth2 tokens, cookies, or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged, then attackers are able to pivot into your cloud environment.

This use case contains searches that detect abnormal processes which may indicate the extraction of federated directory objects such as passwords, Oauth2 tokens, certificates, and keys, as well as searches relating to cloud environment events.

How to use Splunk software for this use case

Searches using the endpoint data model

To run these searches, ensure that you should also ensure you are ingesting normalized endpoint data, populating the Endpoint data model in the Common Information Model (CIM).  For information on installing and using the CIM, see the Common Information Model documentation. In addition, if you are using Sysmon, you must have at least version 6.0.4.

► Certutil exe certificate extraction

This search looks for arguments to certutil.exe that indicate the manipulation or extraction of the certificate. This certificate can then be used to sign new authentication tokens, especially inside federated environments such as Windows ADFS.

Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of a certificate has been observed during attacks such as Golden SAML and other campaigns targeting federated services.

| tstats allow_old_summaries=true count, min(_time) AS firstTime, values("Processes.process") AS process, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=certutil.exe "Processes.process"="* -exportPFX *") BY "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Registry keys used for privilege escalation

The data used for this search is typically generated via logs that report reads and writes to the registry. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon.

This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.

False positives from this search may occur since there are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.

| tstats summariesonly=true allow_old_summaries=true count values(Registry.registry_key_name) AS registry_key_name values(Registry.registry_path) AS registry_path min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) BY Registry.dest  Registry.user
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
| rename "Registry.*" AS "*"

Click here for a full explanation of how this search works.

Additional searches

Some commands, parameters, and field names in the searches below might need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

► Office 365 add app role assignment grant to user

This search detects instances when the operation Add app role assignment grant to user has been carried out.

These activities may not necessarily be malicious, however they should be monitored closely.

| search (Operation="Add app role assignment grant to user." Workload=AzureActiveDirectory sourcetype=o365:management:activity) 
| stats count min(_time) as firstTime max(_time) AS lastTime values(Actor{}.ID) AS Actor.ID values(Actor{}.Type) AS Actor.Type BY ActorIpAddress dest ResultStatus 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Office 365 added service principal

This search detects instances when service principal credentials are added.

These activities may not necessarily be malicious, however they should be monitored closely.

| search (Workload=AzureActiveDirectory signature="Add service principal credentials." sourcetype=o365:management:activity) 
| stats min(_time) AS firstTime max(_time) AS lastTime values(Actor{}.ID) AS Actor.ID values(ModifiedProperties{}.Name) AS ModifiedProperties.Name values(ModifiedProperties{}.NewValue) AS ModifiedProperties.NewValue values(Target{}.ID) AS Target.ID BY ActorIpAddress signature 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Office 365 excessive SSO logon errors

This search detects accounts with high number of Single Sign On (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce passwords, or indicate SSO token hijack or reuse.

Logon errors may not be malicious in nature, however they may indicate attempts to reuse a token or password obtained via credential access attack.

| search (LogonError=SsoArtifactInvalidOrExpired Workload=AzureActiveDirectory sourcetype=o365:management:activity) 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY LogonError ActorIpAddress UserAgent UserId 
| where (count > 5) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Office 365 new federated domain added

This search detects detects the addition of a new federated domain.

The creation of a new federated domain is not necessarily malicious, however these events need to be followed closely as they may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.

| search (Operation="Add-FederatedDomain" Workload=Exchange sourcetype=o365:management:activity) 
| stats count min(_time) AS firstTime max(_time) AS lastTime values(Parameters{}.Value) AS Parameters.Value BY ObjectId Operation OrganizationName OriginatingServer UserId UserKey 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your Cloud Security posture, including:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.