Eight ways to compromise AD FS certificates

Many state-sponsored attacks, including Solorigate by NOBELIUM from 2020, have exploited ADFS identity federation to gain access to target organizations’ Azure AD. This session will cover all known ways how threat actors can export ADFS token signing certificates needed to perform Golden SAML attacks.

Active Directory Federation Services (AD FS) is Microsoft’s single-sign-on (SSO) solution. AD FS is included in Windows Server operating systems as a feature. AD FS is often used as an identity federation solution with Microsoft’s cloud-based identity and access management service, Azure Active Directory (Azure AD).

AD FS identity federation is based on industry standards, such as Security Assertion Markup Language (SAML) tokens. SAML tokens contain information about the user, such as identification details, user’s name, group memberships, etc. SAML tokens are cryptographically signed using certificates trusted by Azure AD.

If a threat actor is able to compromise the signing certificates, they can use them to perform Golden SAML attacks. These attacks allow threat actors to impersonate users and bypass MFA. In January 2022, 88 per cent of Fortune 500 companies used Azure AD. Of these, 68 per cent were still using identity federation. The high adoption rate of AD FS makes it a lucrative target for state-sponsored threat actors, which we have witnessed during the past couple of years.

In this talk, I will demonstrate all known ways threat actors can access the two main ingredients needed to export the signing certificates: AD FS configuration database and DKM master key. I’ll start by outlining different configuration options of AD FS, proceeding to available attack paths. After the live demonstration of these attack paths, I’ll share tips on protecting against them.

About the Speaker