The SolarWinds/Solorigate attacks used some concerning methodologies. One of them has been what is called the Golden SAML attack process. Security Assertion Markup Language (SAML) enables the exchange of authentication and authorization information between trusted parties. The Golden SAML technique allows attackers to generate their own SAML response to gain access or control. To do so, they must first gain privileged access to a network to access the certificates used to sign SAML objects.
You have several means with Microsoft’s Active Directory (AD) to identify this and other techniques used in the SolarWinds attack and prevent them from happening. Firms like Trimarc Security have released PowerShell scripts to analyze and review your AD infrastructure. They provided a script for simple single AD environments to perform a review process. The script looks for key issues in an AD domain that could limit or reduce the security posture of a firm. Here’s what you should review even if you don’t use a script.
User account settings
The first issue involves user accounts. The script reviews for inactive accounts that have not been changed or logged into. The script performs additional reviews of settings that relate to Kerberos including checking for accounts that are configured to not require Kerberos pre-authentication, as attackers are known to have exploited this setting.