Golden SAML Attack
Understanding this attack requires a step-by-step breakdown of its execution, as detailed in the Orange Cyberdefense blog and other sources.(hunters.security, Sygnia)
🧠 Step-by-Step Breakdown of the Golden SAML Attack
Step 1: Compromise the AD FS Server
The attacker begins by gaining administrative access to the Active Directory Federation Services (AD FS) server. This can be achieved through various means, such as exploiting vulnerabilities, phishing, or lateral movement within the network. Once administrative access is obtained, the attacker can extract sensitive information from the AD FS server.(Netwrix)
Step 2: Extract the Token-Signing Certificate
With administrative privileges, the attacker can export the token-signing certificate used by AD FS to sign SAML tokens. This certificate is crucial because it allows the attacker to create forged tokens that appear legitimate to service providers. Tools like ADFSDump can facilitate this extraction.(Netwrix, Splunk)
Step 3: Gather Necessary User Information
The attacker collects information about the target user, such as the User Principal Name (UPN) and ObjectGUID. This data is used to craft a SAML token that impersonates the user. The attacker may obtain this information from Active Directory or other sources within the compromised environment.(Secureworks, Cyber Risk Analytics Management - QOMPLX)
Step 4: Forge the SAML Token
Using the extracted token-signing certificate and the gathered user information, the attacker creates a forged SAML token. This token includes claims that assert the identity and privileges of the impersonated user. The token is then signed with the stolen certificate, making it appear authentic to service providers.(Secureworks, hunters.security)
Step 5: Authenticate to Service Providers
The attacker presents the forged SAML token to a service provider (e.g., Microsoft 365, AWS). Because the token is signed with a valid certificate, the service provider accepts it as legitimate, granting the attacker access to the user’s account without requiring credentials or multi-factor authentication.(hunters.security)
🔍 Additional Insights
-
Persistence: The attacker can maintain access by reusing the stolen certificate to generate new tokens as needed.(Secureworks)
-
Detection Challenges: Since the forged tokens are signed with a valid certificate, detecting this attack is difficult. Monitoring for unusual authentication patterns and certificate usage is essential.
-
Mitigation Strategies:
-
Regularly rotate token-signing certificates.
-
Implement strict access controls and monitoring on AD FS servers.
-
Use anomaly detection to identify unusual authentication behaviors.(Netwrix, Secureworks)
-