Golden SAML Theft

What Is Golden SAML Theft

ADFS Configuration (AADINTERNALS)

Exporting AD FS certificates revisited: Tactics, Techniques and Proceduresaadinternals.com

Attacker steals the ADFS certificate and private key to forge SAML tokens. Allows for persistence for password reset and impersonation of any user.

ADFS is a SSO tool that links a user's identity across on-prem, cloud, web apps, etc. ADFS preforms claims based authentication and provides a SAML token that contains a user's access rights whenever required.

Detection And Hunting Of Golden SAML AttackSygnia

Why Golden SAML?

• Bypasses all MFA

• Persistent through password resets

• Impersonate any user in domain without their password

• ADFS certificates are valid for one year (organizations often change this to 10 years).

• Difficult to detect and certain auditing must be be enabled for any visual.

Attack

Attack flow:

1. Compromise ADFS service account (default name: aadcsvc$) OR Domain Administrator.

2. Export

   1. DKIM Key

   2. Token Signing Key

3. Obtain Object GUID of user you want to impersonate

4. Forge SAML Token

5. Access specified resource (m365, web app, etc)

Find out what user is the ADFS service account by looking at "Log On As" in services or enumerate accounts to find it.

Recon for ADFS Object

Select the second one "CN=ADFS, CN=Microsoft, CN=Program Data, etc"

#AD Recon
Get-ADObject -Filter '-Name like "*"' -Server DC01 | findstr ADFS

Export DKM Commands:

Export AD FS DKM Master Key via LDAP Queries — SimuLandsimulandlabs.com

Export ADFS Configuration:

Export AD FS Configuration via a Local Named Pipe — SimuLandsimulandlabs.com

Export Token Signing Certificate:

Export AD FS Certificates via DKM Master Key — SimuLandsimulandlabs.com

Forge SAML Token:

Forge SAML Tokens — SimuLandsimulandlabs.com

HTTP Request (Netwrix)

Golden SAML Attack | Netwrixwww.netwrix.com

Mandiant ADFSDUMP

GitHub - mandiant/ADFSDumpGitHub

Detect

What logs are available?

• Event Logs

• EDR Logs

Event Logs:

• Enable ADFS logging and set it to verbose

• Enable logs for "Audit Service Ticket Operations"

• Enable "Audit Applications Generated"

• Enable AFDS trace logging

Enable ADFS Logging:

Enabling AD FS Security Auditing 📡 and Shipping Event Logs to Microsoft Sentinel 🛡️ | Microsoft Community HubTECHCOMMUNITY.MICROSOFT.COM

AD FS Audit Level Event IDs:

Audit Level	PowerShell syntax	Description
None	Set-AdfsProperties -AuditLevel None	Auditing is disabled and no events will be logged.
Basic (Default)	Set-AdfsProperties -AuditLevel Basic	No more than 5 events will be logged for a single request
Verbose	Set-AdfsProperties -AuditLevel Verbose	All events will be logged. This will log a significant amount of information per request.

The table below describes the events that are generated when the audit level is set to Basic:

Event Type	Event ID	Description
Fresh Credential Validation Success	1202	A request where fresh credentials are validated successfully by the Federation Service. This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Fresh Credential Validation Error	1203	A request where fresh credential validation failed on the Federation Service. This includes WS-Trust, WS-Fed, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Application Token Success	1200	A request where a security token is issued successfully by the Federation Service. For WS-Federation, SAML-P this is logged when the request is processed with the SSO artifact. (such as the SSO cookie).
Application Token Failure	1201	A request where security token issuance failed on the Federation Service. For WS-Federation, SAML-P this is logged when the request was processed with the SSO artifact. (such as the SSO cookie).
Password Change Request Success	1204	A transaction where the password change request was successfully processed by the Federation Service.
Password Change Request Error	1205	A transaction where the password change request failed to be processed by the Federation Service.
Sign Out Success	1206	Describes a successful sign-out request.
Sign Out Failure	1207	Describes a failed sign-out request.

The table below shows some of the additional events that are generated when the audit level is set to Verbose:

Event Type	Event ID	Description
Successful Token Issuance	299	A token was successfully issued for the relying party '%s’. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any.
Federation Service Configuration	307	The Federation service configuration was changed.
AD FS HTTP Requests	403	An HTTP request was received. Information such as client IP, client request id, user agent and date.
AD FS HTTP Requests	404	An HTTP response was dispatched.
AD FS HTTP Requests	410	Following request context headers present.
Successful Token authentication	412	A token of type '%s' for relying party '%s' was successfully authenticated. See audit 501 with the same Instance ID for caller identity.
Successful Token Issuance	500	Additional context such as “Issued Claims” is provided by this event during the token issuance process.
Successful Token Authentication	501	Additional context such as “Caller Identity” is provided by this event during the token authentication event.
Additional Information	510	Additional information about events such as federation service configuration changes (307), HTTP requests received (403), HTTP requests dispatched (404), etc.

Type 3 and 4662:

DCSync with MSOL or ADFS account will be present if the DKIM is accessed. Does not prove that it was exported but will be present.

SACL to Detect DKM Export:

Export AD FS DKM Master Key via LDAP Queries — SimuLandsimulandlabs.com

Normal SAML Creation:

ADFS will generate the following 3 events in security.evtx file if logging is enabled. Because Golden SAML is done offline, these will not be present for the user who forged the SAML ticket. These are not enabled by default.

• Compare legitimate logins vs lack of ADFS login

Without Event Logs/EDR:

• Execution Forensics

• Command line logging

• Credential Dumping/ Pass the hash of ADFS account

Mitigate

If this is ever suspected, burn it down with fire. If ADFS server was ever accessed, maintain abundance of caution and issue new certificate.

• Treat ADFS as tier 0 device

• Issue new ADFS certificate if Golden SAML is suspected

• Ensure all auditing logging is enabled and audit logging is set to detect access to DKM

• Revoke all refresh tokens

#Revoke all existing refresh tokens (forces user re-auth). 
Revoke-AzureADUserAllRefreshToken

Revoke Refresh Tokens:

Revoke-AzureADUserAllRefreshToken (AzureAD)MicrosoftLearn