Threat Watch

APT Groups Continue to Gain Access to Active Directory Using Golden SAML Attacks

An investigation by inversecos, an IR consultant for Secureworks, confirms that APT groups are still using the Golden SAML attack to bypass authentication controls and access Office 365 environments. Most of the victims either have a hybrid authentication model or are completely in the cloud.

Compromising the AD FS (Active Directory Federation Services) server token-signing certificate could result in access to the Azure/Office365 environment. Certificates are valid for one year by default, which allows threat actors to maintain persistence and re-enter Azure/Office365 environments as any user within AD regardless of any password resets or multi-factor authentication.

The attack flow is as follows:

            Step 1. Attacker compromises the on-premise domain

            Step 2. Enumeration

            Step 3. Gather the credentials for AD FS process owner account

            Step 4. Laterally move to AD FS server

            Step 5. Obtain the token-signing certificate from the AD FS server

            Step 6. Obtain the DKM (Distributed Key Manager) in order to decrypt

            Step 7. Decrypt the token-signing certificate

            Step 8. Generate a SAML token


Re-issuing certificates on the AD FS will void the stolen SAML token and ensure that the copy of the stolen certificate will not still be cached in the Azure active directory. Forced reauthentication of all users ensures that all users will have to login with the new SAML tokens and void any potentially malicious logins. Using security solutions to detect intrusions and attacker activity targeting the AD FS server is an important first step to protect the token signing certificate from being stolen. It is critical to have a Security Operations Center, whether staffed internally or through a managed security provider, to recognize attacks against AD FS quickly and respond proactively.