Golden SAML Theft
What Is Golden SAML Theft
ADFS Configuration (AADINTERNALS)
Attacker steals the ADFS certificate and private key to forge SAML tokens. Allows for persistence for password reset and impersonation of any user.
ADFS is a SSO tool that links a user's identity across on-prem, cloud, web apps, etc. ADFS preforms claims based authentication and provides a SAML token that contains a user's access rights whenever required.
Why Golden SAML?
Bypasses all MFA
Persistent through password resets
Impersonate any user in domain without their password
ADFS certificates are valid for one year (organizations often change this to 10 years).
Difficult to detect and certain auditing must be be enabled for any visual.
Attack
Attack flow:
Compromise ADFS service account (default name: aadcsvc$) OR Domain Administrator.
Export
DKIM Key
Token Signing Key
Obtain Object GUID of user you want to impersonate
Forge SAML Token
Access specified resource (m365, web app, etc)
Find out what user is the ADFS service account by looking at "Log On As" in services or enumerate accounts to find it.
Recon for ADFS Object
Select the second one "CN=ADFS, CN=Microsoft, CN=Program Data, etc"
Export DKM Commands:
Export ADFS Configuration:
Export Token Signing Certificate:
Forge SAML Token:
HTTP Request (Netwrix)
Mandiant ADFSDUMP
Detect
What logs are available?
Event Logs
EDR Logs
Event Logs:
Enable ADFS logging and set it to verbose
Enable logs for "Audit Service Ticket Operations"
Enable "Audit Applications Generated"
Enable AFDS trace logging
Enable ADFS Logging:
AD FS Audit Level Event IDs:
Audit Level | PowerShell syntax | Description |
None | Set-AdfsProperties -AuditLevel None | Auditing is disabled and no events will be logged. |
Basic (Default) | Set-AdfsProperties -AuditLevel Basic | No more than 5 events will be logged for a single request |
Verbose | Set-AdfsProperties -AuditLevel Verbose | All events will be logged. This will log a significant amount of information per request. |
The table below describes the events that are generated when the audit level is set to Basic:
Event Type | Event ID | Description |
Fresh Credential Validation Success | 1202 | A request where fresh credentials are validated successfully by the Federation Service. This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints. |
Fresh Credential Validation Error | 1203 | A request where fresh credential validation failed on the Federation Service. This includes WS-Trust, WS-Fed, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints. |
Application Token Success | 1200 | A request where a security token is issued successfully by the Federation Service. For WS-Federation, SAML-P this is logged when the request is processed with the SSO artifact. (such as the SSO cookie). |
Application Token Failure | 1201 | A request where security token issuance failed on the Federation Service. For WS-Federation, SAML-P this is logged when the request was processed with the SSO artifact. (such as the SSO cookie). |
Password Change Request Success | 1204 | A transaction where the password change request was successfully processed by the Federation Service. |
Password Change Request Error | 1205 | A transaction where the password change request failed to be processed by the Federation Service. |
Sign Out Success | 1206 | Describes a successful sign-out request. |
Sign Out Failure | 1207 | Describes a failed sign-out request. |
The table below shows some of the additional events that are generated when the audit level is set to Verbose:
Event Type | Event ID | Description |
Successful Token Issuance | 299 | A token was successfully issued for the relying party '%s’. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any. |
Federation Service Configuration | 307 | The Federation service configuration was changed. |
AD FS HTTP Requests | 403 | An HTTP request was received. Information such as client IP, client request id, user agent and date. |
AD FS HTTP Requests | 404 | An HTTP response was dispatched. |
AD FS HTTP Requests | 410 | Following request context headers present. |
Successful Token authentication | 412 | A token of type '%s' for relying party '%s' was successfully authenticated. See audit 501 with the same Instance ID for caller identity. |
Successful Token Issuance | 500 | Additional context such as “Issued Claims” is provided by this event during the token issuance process. |
Successful Token Authentication | 501 | Additional context such as “Caller Identity” is provided by this event during the token authentication event. |
Additional Information | 510 | Additional information about events such as federation service configuration changes (307), HTTP requests received (403), HTTP requests dispatched (404), etc. |
Type 3 and 4662:
DCSync with MSOL or ADFS account will be present if the DKIM is accessed. Does not prove that it was exported but will be present.
SACL to Detect DKM Export:
Normal SAML Creation:
ADFS will generate the following 3 events in security.evtx file if logging is enabled. Because Golden SAML is done offline, these will not be present for the user who forged the SAML ticket. These are not enabled by default.
Compare legitimate logins vs lack of ADFS login
Without Event Logs/EDR:
Execution Forensics
Command line logging
Credential Dumping/ Pass the hash of ADFS account
Mitigate
If this is ever suspected, burn it down with fire. If ADFS server was ever accessed, maintain abundance of caution and issue new certificate.
Treat ADFS as tier 0 device
Issue new ADFS certificate if Golden SAML is suspected
Ensure all auditing logging is enabled and audit logging is set to detect access to DKM
Revoke all refresh tokens
Revoke Refresh Tokens:
Last updated
