What Is Golden SAML Theft
ADFS Configuration (AADINTERNALS)
Attacker steals the ADFS certificate and private key to forge SAML tokens. Allows for persistence for password reset and impersonation of any user.
ADFS is a SSO tool that links a user's identity across on-prem, cloud, web apps, etc. ADFS preforms claims based authentication and provides a SAML token that contains a user's access rights whenever required.
Why Golden SAML?
Persistent through password resets
Impersonate any user in domain without their password
ADFS certificates are valid for one year (organizations often change this to 10 years).
Difficult to detect and certain auditing must be be enabled for any visual.
Attack flow:
Compromise ADFS service account (default name: aadcsvc$) OR Domain Administrator.
Obtain Object GUID of user you want to impersonate
Access specified resource (m365, web app, etc)
Find out what user is the ADFS service account by looking at "Log On As" in services or enumerate accounts to find it.
Recon for ADFS Object
Select the second one "CN=ADFS, CN=Microsoft, CN=Program Data, etc"
Export DKM Commands:
Export ADFS Configuration:
Export Token Signing Certificate:
Forge SAML Token:
HTTP Request (Netwrix)
Mandiant ADFSDUMP
What logs are available?
Enable ADFS logging and set it to verbose
Enable logs for "Audit Service Ticket Operations"
Enable "Audit Applications Generated"
Enable AFDS trace logging
Enable ADFS Logging:
AD FS Audit Level Event IDs:
Set-AdfsProperties -AuditLevel None
Auditing is disabled and no events will be logged.
Set-AdfsProperties -AuditLevel Basic
No more than 5 events will be logged for a single request
Set-AdfsProperties -AuditLevel Verbose
All events will be logged. This will log a significant amount of information per request.
The table below describes the events that are generated when the audit level is set to Basic:
Fresh Credential Validation Success
A request where fresh credentials are validated successfully by the Federation Service. This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Fresh Credential Validation Error
A request where fresh credential validation failed on the Federation Service. This includes WS-Trust, WS-Fed, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Application Token Success
A request where a security token is issued successfully by the Federation Service. For WS-Federation, SAML-P this is logged when the request is processed with the SSO artifact. (such as the SSO cookie).
Application Token Failure
A request where security token issuance failed on the Federation Service. For WS-Federation, SAML-P this is logged when the request was processed with the SSO artifact. (such as the SSO cookie).
Password Change Request Success
A transaction where the password change request was successfully processed by the Federation Service.
Password Change Request Error
A transaction where the password change request failed to be processed by the Federation Service.
Describes a successful sign-out request.
Describes a failed sign-out request.
The table below shows some of the additional events that are generated when the audit level is set to Verbose:
Successful Token Issuance
A token was successfully issued for the relying party '%s’. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any.
Federation Service Configuration
The Federation service configuration was changed.
An HTTP request was received. Information such as client IP, client request id, user agent and date.
An HTTP response was dispatched.
Following request context headers present.
Successful Token authentication
A token of type '%s' for relying party '%s' was successfully authenticated. See audit 501 with the same Instance ID for caller identity.
Successful Token Issuance
Additional context such as “Issued Claims” is provided by this event during the token issuance process.
Successful Token Authentication
Additional context such as “Caller Identity” is provided by this event during the token authentication event.
Additional information about events such as federation service configuration changes (307), HTTP requests received (403), HTTP requests dispatched (404), etc.
Type 3 and 4662:
DCSync with MSOL or ADFS account will be present if the DKIM is accessed. Does not prove that it was exported but will be present.
SACL to Detect DKM Export:
Normal SAML Creation:
ADFS will generate the following 3 events in security.evtx file if logging is enabled. Because Golden SAML is done offline, these will not be present for the user who forged the SAML ticket. These are not enabled by default.
Compare legitimate logins vs lack of ADFS login
Without Event Logs/EDR:
Credential Dumping/ Pass the hash of ADFS account
If this is ever suspected, burn it down with fire. If ADFS server was ever accessed, maintain abundance of caution and issue new certificate.
Treat ADFS as tier 0 device
Issue new ADFS certificate if Golden SAML is suspected
Ensure all auditing logging is enabled and audit logging is set to detect access to DKM
Revoke all refresh tokens
Revoke Refresh Tokens:
