Azure AD Hybrid Identity: Stealing the AD FS Token Signing Certificate to Forge SAML Tokens and Access Mail Data
Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity and one of the authentication methods available is federation with Active Directory Services (AD FS).
In this step-by-step guide, we simulate an adversary stealing the AD FS token signing certificate from an on-prem AD FS server to sign a new SAML token, impersonate a privileged user and eventually collect mail data via the Microsoft Graph API. This lab also focuses on showing the detection capabilities of Microsoft Defender security products and Microsoft Sentinel. Therefore, each simulation step is mapped to its respective alert and detection queries when possible.
The first step is to deploy the lab environment. Use the following document to prepare and deploy the infrastructure and services required to run the simulation plan.
This simulation starts with a compromised on-prem AD FS Server where a threat actor managed to obtain the credentials of the AD FS service account.
| Step | Tactic(s) | Technique | Actions | Description |
|---|---|---|---|---|
| 1 | Credential Access | Unsecured Credentials | Export AD FS Configuration Settings via Named Pipe | Connect to the AD FS configuration database locally via a named pipe and read the AD FS configuration settings. |
| 2 | Credential Access | Unsecured Credentials | Export AD FS DKM Master Key via LDAP queries | Extract the AD FS DKM master key value from the Domain Controller and use it to decrypt AD FS certificates. |
| 3 | Credential Access | Unsecured Credentials: Private Keys | Export ADFS Certificates with DKM key | Use the AD FS DKM master key to derive a symmetric key and decrypt AD FS certificates. |
| 4 | Credential Access | Forge Web Credentials: SAML Tokens | Forge SAML Token | Use the stolen AD FS token signing certificate and sign a new SAML token to impersonate a privileged user that could also access resources in Azure. |
| 5 | Persistence Defense Evasion Privilege Escalation |
Valid Accounts: Cloud Accounts | Request OAuth Access Token with SAML Assertion | Get an OAuth access token for the Microsoft Graph API using the public Azure Active Directory PowerShell application as a client. Use the Following information while running this step:
|
| 6 | Persistence | Account Manipulation: Exchange Email Delegate Permissions | Update Application OAuth Permissions Scopes Grant OAuth Permissions to Application |
Next, use the OAuth token to call the Microsoft Graph API and simulate an adversary granting delegated Mail.ReadWrite permissions to an Azure AD application. Usually, a threat actor would prefer to use an existing application that already has the desired permissions granted. However, in this step, we simulate a threat actor updating the Required Resource Access property of an application and updating the OAuthPermissionGrant of an OAuth application to grant new delegated permissions. |
| 7 | Persistence | Account Manipulation: Additional Cloud Credentials | Add credentials to OAuth Application | Add new credentials to the compromised OAuth application using the same OAuth access token and via the Microsoft Graph API. We can then use those credentials to sign in to the application on behalf of the impersonated user. |
| 8 | Persistence Defense Evasion Privilege Escalation |
Valid Accounts: Cloud Accounts | Request OAuth Access Token with SAML Assertion | Get an OAuth access token for the Microsoft Graph API, but this time using the compromised application as a client. You must use the new credentials (secret text) added to it in the previous step. Use the following information while running this step:
|
| 9 | Collection | Email Collection | Access account mailbox via Graph API | Use the new OAuth access token to call the Microsoft Graph API and read mail from the mailbox of the signed-in user. |