exchange.xforce.ibmcloud.com
Open in
urlscan Pro
2606:4700::6812:be0
Public Scan
URL:
https://exchange.xforce.ibmcloud.com/collection/6d57cc0e6d3cbdf8ea0f0abc1838c12f/attachment/09641bba606d67fe809f5d772f679cc0/25117f1b...
Submission: On July 31 via manual from US — Scanned from CA
Submission: On July 31 via manual from US — Scanned from CA
Form analysis 3 forms found in the DOM
GET
<form class="formclass form-inline ng-pristine ng-valid" ng-submit="$ctrl.searchFor($ctrl.searchText ? $ctrl.searchText : ' ')" method="get" autocomplete="off"> <label class="sr-only" for="top_search"
ng-bind="'SEARCH_BUTTON_LABEL' | translate">Search</label> <!----> <!---->
<div ng-if="!blockAnonymousUser"> <input name="q" id="top_search" type="text" class="form-control ng-pristine ng-untouched ng-valid ng-empty" title="Search by Application name, IP address, URL, Vulnerability, MD5, #Tag..."
ng-attr-placeholder="{{('SEARCH_PLACEHOLDER' | translate)}}" ng-model="$ctrl.searchText" size="64" role="combobox" uib-typeahead="item as item.value for item in $ctrl.typeaheadItems | typeaheadFilter:$ctrl.searchText | limitTo: 10"
typeahead-eager="" typeahead-template-url="views/templates/search-typeahead.html" onkeypress="$ctrl.onTypeaheadSelect($item)" typeahead-on-select="$ctrl.onTypeaheadSelect($item)" typeahead-focus-first="false" aria-autocomplete="list"
aria-expanded="false" aria-owns="typeahead-58-5315" placeholder="Search by Application name, IP address, URL, Vulnerability, MD5, #Tag..." aria-invalid="false">
<ul class="dropdown-menu ng-hide" ng-show="isOpen() && !moveInProgress" ng-style="{top: position().top+'px', left: position().left+'px'}" role="listbox" aria-hidden="true" uib-typeahead-popup="" id="typeahead-58-5315" matches="matches"
active="activeIdx" select="select(activeIdx, evt)" move-in-progress="moveInProgress" query="query" position="position" assign-is-open="assignIsOpen(isOpen)" debounce="debounceUpdate" template-url="views/templates/search-typeahead.html">
<!---->
</ul> <button type="submit" class="btn btn-primary" title="Search" id="submitTopSearch"> <span class="ibm ibm_search_32"></span><span class="sr-only">Search</span> </button>
</div><!---->
</form>Name: tagsForm —
<form name="tagsForm" id="tagsForm" class="ng-pristine ng-valid"> <label class="sr-only" for="casefiletags">Add Tag (Tags are public)</label> <!----> </form><form id="inputcomments" class="flex-column" autocomplete="off"><label class="sr-only" for="comment-input-root">Leave a comment</label><input id="comment-input-root" placeholder="Log in to leave a comment" disabled="" value=""><input type="submit"
class="form-control hide"></form>Text Content
IBM® X-FORCE EXCHANGE IBM X-Force Exchange is a threat intelligence sharing platform that you can use to research security threats, to aggregate intelligence, and to collaborate with peers. Logged in users have integrated access to all the functionality of the site: searching, commenting, Collections and sharing. Guests can search and view reports only. I agree to the Terms of Service Create IBMid Log In ... or enter as a Guest Member since View Profile * Comments * Collections * Groups * Home * Activity * Collections * Early Warning * Groups * App Exchange * API * Invite * Support * Provide Feedback * Make a Feature Request * FAQ * Service Status * Privacy * Terms * © 2014, 2024 IBM Security (Build 20240724) * * 0 Notifications RECENTLY VIEWED Choose from recently viewed IP, URL, Vulnerability and Malware reports to build a new Collection or to add to an existing one. No supported reports were visited so far. LOG IN TO WORK WITH COLLECTIONS. NOT A MEMBER? SIGN UP Open navigation menu IBM X-FORCE EXCHANGE / APP EXCHANGE ALL * All (ALL ) * Application (IAP) * Botnet (BOT) * Collection (COL) * IBM Security App Exchange (APP) * Malware Family (MWF) * URL * Vulnerability (VUL) * X-Force Signature (PAM) Search Search View Notifications 0 * Create IBMid * Log In QRadar Rules to detect Golden SAML attack Upvote 0 Downvote QRADAR RULES TO DETECT GOLDEN SAML ATTACK Add Tag (Tags are public) * russia Public Collection 7 Followers TLP: WHITE * WHITE * GREEN Follow Am I Affected * Export * Get TAXII feed * Copy to new * Follow * Am I Affected Imported 0 of 0 reports. × Hide Edit ATTACHED QRADAR CORRELATION RULES TO DETECT THE GOLDEN SAML ATTACK. MORE DETAILS CAN BE FOUND HERE: DETECTING GOLDEN SAML ATTACK IN QRADAR NOTE: THE FILE WILL BE AUTOMATICALLY COMPRESSED BY THE XFORCE PORTAL, AND THE PASSWORD TO UNZIP IT IS: INFECTED THE ATTACK CAN BE DETECTED BY LOOKING FOR ANY SUCCESSFUL LOGINS NOT PRECEDED BY THE TICKET CREATION EVENTS THE AUTHENTICATION FEDERATION SERVER, LIKE ADFS, WILL LOG THE FOLLOWING EVENTS WHEN IT VALIDATES THE USER’S CREDENTIALS, OR CREATES A NEW TOKEN: EVENT ID 1202 – “THE FEDERATION SERVICE VALIDATED A NEW CREDENTIAL”. EVENT ID 1200 – "THE FEDERATION SERVICE ISSUED A VALID TOKEN”. EXAMPLE DETECTION IF THE ATTACKER WILL TRY TO LOGIN TO AWS USING THE FAKE/FORGED SAML RESPONSE: WE WILL HAVE AN AWS CONSOLELOGIN EVENT AND IT'S NOT PRECEDED BY THE ABOVE 2 ADFS EVENTS (1202, 1200) * Collection Details Collection Details * Comments Comments (0) Collection OutlineToggle Collection Outline Reports (0) * View all reports Attachments (1) * QRadar_Rules_to_Detect_Golden_SAML_attack.xml Attached on Jan 20, 2021 7:40:57 AM by Mutaz Alsallal Size 16.31 kB Linked Collections (0) Version History (4) * Mutaz Alsallal Last modified: Aug 3, 2023 2:58:21 AM * Mutaz Alsallal Last modified: Jan 20, 2021 7:41:07 AM * Mutaz Alsallal Last modified: Jan 12, 2021 7:10:46 AM * Mutaz Alsallal Last modified: Jan 12, 2021 7:06:48 AM Leave a comment * Be the first person to comment. QRadar Search - Searching... Cancel %INDEXSPAMHONEYPOT% FOLLOW COLLECTIONS Follow a Collection to see updates to the Collection in your notifications. You must log in to use that feature Got it FOLLOW COLLECTIONS Follow a Collection to see updates to the Collection in your notifications. You must log in to use that feature Got it IBM web domains ibm.com, ibm.dev, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net, merge.com, micromedex.com, mobilebusinessinsights.com, promontory.com, proveit.com, ptech.org, resource.com, s81c.com, securityintelligence.com, skillsbuild.org, softlayer.com, storagecommunity.org, strongloop.com, teacheradvisor.org, think-exchange.com, thoughtsoncloud.com, trusteer.com, truven.com, truvenhealth.com, alphaevents.webcasts.com, betaevents.webcasts.com, ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net, ibmcloud.com, redhat.com, galasa.dev, blueworkslive.com, swiss-quantum.ch, altoromutual.com, blueworkslive.cn, blueworkslive.com, cloudant.com, ibm.ie, ibm.fr, ibm.com.br, ibm.co, ibm.ca, silverpop.com, community.watsonanalytics.com, eclinicalos.com, datapower.com, ibmmarketingcloud.com, thinkblogdach.com, truqua.com, my-invenio.com, skills.yourlearning.ibm.com, bluewolf.com, asperasoft.com, instana.com, taos.com, envizi.com, carbondesignsystem.com About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your cookie preferences options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here. Accept all Required only Cookie Preferences