It is noted that Silver Saml is similar to the Golden SAML technique, which was first supplied with Cyberark in 2017. The attack vector includes abuse of a compatible authentication standard for the personification of almost any personality in the organization.
Silver Saml attack is a modification of Golden Saml. The technique works with the Microsoft Entra ID (previously Azure Active Directory) and does not require access to Active Directory Federal Services (AD FS). Silver SAML was evaluated as a threat of an average dangerous danger for organizations.
In Microsoft, after the responsible disclosure on January 2, 2024, they said that the problem does not meet the criteria for an immediate decision, but noted that they would take relevant actions as necessary to protect customers.
Although there is no evidence of Silver SAML in real conditions, organizations are recommended to use only self-made Entra ID certificates to sign SAML. Semperis also provided evidence of the concept (Proof-of-Concept, POC) called silversamlforger to create tunable answers saml.
Semperis explains that organizations can monitor the Entra ID audit magazines for changes in PreferdtokensignkeythumbPrint in the ApplicationManagement section. It is important to compare these events in order to add the events of the accounting data of the participant-service that relate to the participant-service. The rotation of certificates with an expired validity is the usual process, so it is necessary to determine whether the events of the audit are legitimate. The introduction of the processes of monitoring changes for documenting rotation can help minimize confusion during rotation events.