On-premises to cloud lateral movement should be one of the top techniques in a red teamer’s arsenal. Difficult to detect and pervasive in nature, these techniques attract the likes of APT groups like Nobellium who have increased their focus on abusing identity federation. Techniques like Golden SAML and AD FS skeleton keys provide threat actors the double-edged sword of combining both lateral movement and privilege escalation into a single technique - with the added benefit of leaving little trace in the cloud logs for defenders.
For a long time, compromise and detection has focused primarily on on-premises techniques, but the ecosystem has shifted, and the cloud is the new frontier. As most organizations utilise cloud services in one way or another - it’s only a matter of time before we see commodity threat groups and other nation states abusing these techniques. This talk aims to break down cloud lateral movement techniques like Golden SAML and AD FS skeleton keys to demonstrate the wide range of possibilities of cloud compromise, and to highlight the future of cloud attacks and the untapped research potential yet to be uncovered.
SANS HackFest Summit 2023
Keynote | Hacking the Cloud Like an APT
Lina Lau, Founder of XINTRA, XINTRA
View upcoming Summits: www.sans.org/u/DuS