technique
https://capec.mitre.org/data/definitions/562.html
technique
https://attack.mitre.org/techniques/T1080
technique
https://us-cert.cisa.gov/ncas/alerts/aa21-008a
CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.
technique
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020.
technique
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.
technique
https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-off
Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.
technique
https://www.sygnia.co/golden-saml-advisory
Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021.
technique
https://attack.mitre.org/techniques/T1484/002
technique
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
technique
https://attack.mitre.org/techniques/T1573/001