[Meta] Expand Okta Rule Coverage - SAMLjacking

Question

[Meta] Expand Okta Rule Coverage - SAMLjacking

terrancedejesus opened this issue 5 months ago · comments

Parent Epic (If Applicable)

Meta Summary

This meta will be used to track expanded Okta detection rule coverage specifically for SAML-related events. SAML is an authentication standard/protocol commonly used in SaaS platforms. SAML is web-based and implemented on both the service provider (SP) and identity provider (IdP) for authentication. SAML data visibility is reliant on URI patterns, HTTP(s) request and response bodies and more, however, Okta system logs include all most of this information. This research is likely to carry-over to other SaaS integrations (Google Workspace, GitHub, Slack) where similar detections can be created.

Plan:

Setup Okta lab and 3rd-party applications.
Establish SAML for authentication between IdP and SP.
Use the Okta integration for IdP log collection
Use Network Packet Capture (NPC) for network traffic log collection (This is only necessary if we need visibility into the web browser for redirections)
Emulate malicious behavior, capture telemetry and write detection logic

Estimated Time to Complete

4-Weeks

Potential Blockers

Full SAML request/response visibility relies heavily on insight into the end-user browser, IdP and SP. Okta, being the IdP may only provide partial insight into these request/response communications.
Depending on logic requirements, ES|Ql may be important for comparative analysis of the SAML requests and responses. At the time of this issue, ES|QL is in technical preview

Tasklist

Meta Tasks

Beta Give feedback

Provide Week 1 Update Comment
Provide Week 2 Update or Closeout Comment
SAML Enumeration (ACS endpoint identification)
SAMLjacking
SAMLbackdoor
XML Signature Wrapping (SAML Raider)
Certificate Faking (Self-Signed Certificate - Relies on trust between SP and IdP)
Options

Detection Rules

Beta Give feedback

No tasks being tracked yet.

Options

Resources / References

Terrance DeJesus · Answer 1 · Tue Jan 16 2024 23:21:21 GMT+0800 (China Standard Time)

Update 01-16-2023

This meta will be started today, starting with setting up SAML authentication with 1-2 third party integrations in Okta and ensure monitoring is still established. The following is tasked for this week. There may need to be separate meta's to tackle the other SAML abuse techniques originally listed. Therefore, I have renamed this to SAMLjacking and put the others as a stretch.

Setup SAML authentication in Okta lab
Ensure monitoring still exists for Okta
Establish 1-2 third party integrations in Okta with SAML access only
Follow authentication workflow with MFA and review telemetry to understand visibility
Review SAMLjacking techniques and how to execute in our environment
Attempt to emulate SAMLjacking and capture telemetry
Review potential rules and begin rule development.

botelastic · Answer 2 · Sat Mar 16 2024 23:29:15 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic · Answer 3 · Sun Mar 24 2024 00:29:19 GMT+0800 (China Standard Time)

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.