{
	"id": "44da2fc1-f0b7-435d-be62-b979665cf648",
	"created_at": "2026-04-06T00:22:18.530513Z",
	"updated_at": "2026-04-10T03:24:24.104025Z",
	"deleted_at": null,
	"sha1_hash": "7515734469341b5bf8daf28a3e79ee7dc732d2d7",
	"title": "Cloud Federated Credential Abuse \u0026 Cobalt Strike: Threat Research February 2021 | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59112,
	"plain_text": "Cloud Federated Credential Abuse \u0026 Cobalt Strike: Threat\r\nResearch February 2021 | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-03-09 · Archived: 2026-04-05 12:50:30 UTC\r\nThis month, the Splunk Threat Research team developed a total of seven analytic stories addressing different types\r\nof threats and more than a dozen of new detections to help our customers detect and fight against these threats.\r\nIn this blog post, we’ll walk you through two analytic stories and a few detection searches that we want to\r\nhighlight from the February 2021 releases. Watch the video below to learn more about why Splunk's Rod Soto,\r\nPrincipal Security Research Engineer, and Michael Haag, Senior Threat Researcher, think it is important to share\r\ntheir knowledge on emerging threats such as Cloud Federated Credential Abuse and Cobalt Strike.\r\nCloud Federated Credential Abuse\r\nThe Cloud Federated Credential Abuse analytic story addresses the recently notorious campaigns featuring tactics,\r\ntechniques and procedures (TTPs) that target the extraction of credentials in cloud federated environments. These\r\nenvironments are composed by federation-enabling technologies such as Active Directory Federation Services,\r\nand these federations can be from inside the perimeter or between cloud vendors.\r\nFederations are based in the flow of trusted credentials. These trusted credentials allow the seamless interaction of\r\nentities from perimeter to cloud or from cloud to cloud. Current federation credential frameworks such as OAuth2\r\nand SAML are the most popular in use between federated environments. In this research blog we delve into how\r\nthese credentials operate and how these attacks work within the perimeter and between cloud environments.\r\nThe scenarios addressed in this new analytic story (release v3.15) are the Golden SAML attack and Pass The\r\nCookie. Specially the Golden SAML scenario, which is reported to be one of the attack techniques involved\r\nduring the SolarWinds campaign. We are including detection and hunting searches for endpoint and cloud vendors\r\nsuch as AWS and Azure.\r\nWe decided to approach the federation attacks from two different fronts:\r\nPerimeter: The servers and endpoints where we find the elements to craft forge requests, including items\r\nsuch as SAML assertions or session cookies, private keys and certificates.\r\nCloud provider: The providers of federation services where the extracted credentials are reused.\r\nPerimeter-Focused Detection Searches\r\nNew Cloud-Focused Hunting and Detection Searches\r\nDetecting Cobalt Strike\r\nhttps://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html\r\nPage 1 of 3\n\nCobalt Strike is threat emulation software that Red Teams, penetration testers and threat actors all use. More\r\nrecently, adversaries have used cracked or leaked versions to perform post exploitation within the target’s\r\nenvironment. In December 2020 we got a rare glimpse into FireEye’s Red Team tools after an actor gained\r\nunauthorized access. As a defender, we may not always have access to a tool like Cobalt Strike, so we need to\r\nresearch it to better understand how we may generate our content. With Cobalt Strike comes the ability to deploy\r\nwhat are called Malleable C2 profiles. Each profile is a customization to how the beacon payload will blend in\r\nwith the network and endpoint. It may be as short or detailed as the operator needs. If unable to customize, there\r\nare many profiles freely available.\r\nFunctions within the Malleable C2 profile are: spawnto_x86 and spawnto_x64. Spawnto_ is a process that\r\nCobalt Strike opens to inject shellcode into. The default spawnto_ process is rundll32.exe.\r\nTop five publicly available spawnto values identified in Malleable C2 profiles:\r\nIn generating content related to Cobalt Strike, consider the following:\r\n1. Is it normal for spawnto_ value to have no command line arguments? No command line arguments and a\r\nnetwork connection?\r\n2. What is the default, or normal, process lineage for spawnto_ value?\r\n3. Does the spawnto_ value normally make network connections?\r\nContent is currently in active development and much more is to come. We want to help organizations of all sizes\r\nbegin to advance their detection capabilities against Cobalt Strike and more.\r\nWhy Should You Care?\r\nSome of these attack vectors are new and evolving and they seem to emulate past lateral movement techniques\r\nsuch as pass the hash or pass the ticket. Many vendors do not consider these attack vectors as vulnerabilities but\r\nrather an abuse of features. These types of attacks are bound to become more popular as enterprises continue to\r\nimplement cloud services.\r\nCobalt Strike is the baseline adversary tool we defenders need to ensure we have coverage for moving forward in\r\n2021. With the increasing usage of leaked versions of Cobalt Strike, content needs to be created to detect and\r\nultimately prevent the capabilities it provides. In addition, defenders need to understand what malicious looks like\r\nand how to respond to activity related to methodologies using Cobalt Strike.\r\nFor a full list of security content, check out the release notes on Splunk Docs:\r\n3.15.0\r\n3.14.0\r\nLearn more\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections now available via push update.\r\nhttps://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html\r\nPage 2 of 3\n\nFeedback\r\nAny feedback or requests? Feel free to put in an Issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nAbout the Splunk Threat Research Team\r\nThe Splunk Threat Research team is devoted to understanding actor behavior and researching known threats to\r\nbuild detections that the entire Splunk community can benefit from. The Splunk Threat Research team does this\r\nby building and open-sourcing tools that analyze threats and actors like the Splunk Attack Range and using these\r\ntools to create attack data sets. From these data sets, new detections are built and shared with the Splunk\r\ncommunity under Splunk Security Content. These detections are then consumed by various Splunk products like\r\nEnterprise Security, Splunk Security Essentials and Mission Control to help customers quickly and effectively find\r\nknown threats.\r\nContributors\r\nWe would like to thank Rod Soto, Michael Haag, Patrick Bareiss and Bhavin Patel for their contributions to this\r\npost, as well as all of the community contributors who provided feedback and helped generate new security\r\ncontent.\r\nSource: https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html\r\nhttps://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html"
	],
	"report_names": [
		"cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434938,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7515734469341b5bf8daf28a3e79ee7dc732d2d7.pdf",
		"text": "https://archive.orkl.eu/7515734469341b5bf8daf28a3e79ee7dc732d2d7.txt",
		"img": "https://archive.orkl.eu/7515734469341b5bf8daf28a3e79ee7dc732d2d7.jpg"
	}
}