Golden SAML AD FS Mail Access

Metadata

Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2021/08/02
Modification Date	2021/08/02
Tactics	TA0006,TA0001,TA0003,TA0004,TA0005,TA0009
Techniques	T1552.004,T1606.002,T1078.004,T1098.002,T1114
Tags	SimuLand

Dataset Description

This dataset represent a threat actor stealing the AD FS token signing certificate from an on-prem AD FS server to sign a new SAML token, impersonate a privileged user and eventually collect mail data via the Microsoft Graph API.

Datasets Downloads

Type	Link
Cloud	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/AADAuditEvents.Zip
Cloud	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/Microsoft365DefenderEvents.Zip
Cloud	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/OfficeActivityEvents.Zip
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/compound/GoldenSAMLADFSMailAccess/WindowsEvents.Zip

Simulation Metadata

Environment

Name	link
SimuLand	https://github.com/Azure/SimuLand/tree/main/2_deploy/aadHybridIdentityADFS

References

• https://github.com/Azure/SimuLand

• https://github.com/Azure/SimuLand/tree/main/labs/01_GoldenSAMLADFSMailAccess