Golden SAML Theft
Last updated
Last updated
Attacker steals the ADFS certificate and private key to forge SAML tokens. Allows for persistence for password reset and impersonation of any user.
ADFS is a SSO tool that links a user's identity across on-prem, cloud, web apps, etc. ADFS preforms claims based authentication and provides a SAML token that contains a user's access rights whenever required.
Bypasses all MFA
Persistent through password resets
Impersonate any user in domain without their password
ADFS certificates are valid for one year (organizations often change this to 10 years).
Difficult to detect and certain auditing must be be enabled for any visual.
Attack flow:
Compromise ADFS service account (default name: aadcsvc$) OR Domain Administrator.
Export
DKIM Key
Token Signing Key
Obtain Object GUID of user you want to impersonate
Forge SAML Token
Access specified resource (m365, web app, etc)
Find out what user is the ADFS service account by looking at "Log On As" in services or enumerate accounts to find it.
Select the second one "CN=ADFS, CN=Microsoft, CN=Program Data, etc"
Event Logs
EDR Logs
Enable ADFS logging and set it to verbose
Enable logs for "Audit Service Ticket Operations"
Enable "Audit Applications Generated"
Enable AFDS trace logging
Audit Level
PowerShell syntax
Description
None
Set-AdfsProperties -AuditLevel None
Auditing is disabled and no events will be logged.
Basic (Default)
Set-AdfsProperties -AuditLevel Basic
No more than 5 events will be logged for a single request
Verbose
Set-AdfsProperties -AuditLevel Verbose
All events will be logged. This will log a significant amount of information per request.
The table below describes the events that are generated when the audit level is set to Basic:
Event Type
Event ID
Description
Fresh Credential Validation Success
1202
A request where fresh credentials are validated successfully by the Federation Service. This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Fresh Credential Validation Error
1203
A request where fresh credential validation failed on the Federation Service. This includes WS-Trust, WS-Fed, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Application Token Success
1200
A request where a security token is issued successfully by the Federation Service. For WS-Federation, SAML-P this is logged when the request is processed with the SSO artifact. (such as the SSO cookie).
Application Token Failure
1201
A request where security token issuance failed on the Federation Service. For WS-Federation, SAML-P this is logged when the request was processed with the SSO artifact. (such as the SSO cookie).
Password Change Request Success
1204
A transaction where the password change request was successfully processed by the Federation Service.
Password Change Request Error
1205
A transaction where the password change request failed to be processed by the Federation Service.
Sign Out Success
1206
Describes a successful sign-out request.
Sign Out Failure
1207
Describes a failed sign-out request.
The table below shows some of the additional events that are generated when the audit level is set to Verbose:
Event Type
Event ID
Description
Successful Token Issuance
299
A token was successfully issued for the relying party '%s’. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any.
Federation Service Configuration
307
The Federation service configuration was changed.
AD FS HTTP Requests
403
An HTTP request was received. Information such as client IP, client request id, user agent and date.
AD FS HTTP Requests
404
An HTTP response was dispatched.
AD FS HTTP Requests
410
Following request context headers present.
Successful Token authentication
412
A token of type '%s' for relying party '%s' was successfully authenticated. See audit 501 with the same Instance ID for caller identity.
Successful Token Issuance
500
Additional context such as “Issued Claims” is provided by this event during the token issuance process.
Successful Token Authentication
501
Additional context such as “Caller Identity” is provided by this event during the token authentication event.
Additional Information
510
Additional information about events such as federation service configuration changes (307), HTTP requests received (403), HTTP requests dispatched (404), etc.
DCSync with MSOL or ADFS account will be present if the DKIM is accessed. Does not prove that it was exported but will be present.
ADFS will generate the following 3 events in security.evtx file if logging is enabled. Because Golden SAML is done offline, these will not be present for the user who forged the SAML ticket. These are not enabled by default.
Compare legitimate logins vs lack of ADFS login
Execution Forensics
Command line logging
Credential Dumping/ Pass the hash of ADFS account
If this is ever suspected, burn it down with fire. If ADFS server was ever accessed, maintain abundance of caution and issue new certificate.
Treat ADFS as tier 0 device
Issue new ADFS certificate if Golden SAML is suspected
Ensure all auditing logging is enabled and audit logging is set to detect access to DKM
Revoke all refresh tokens
