Mandiant discovered that improper manual rotation of ADFS certificates can expose active signing keys in Machine DPAPI. This vulnerability allows attackers to forge SAML tokens and bypass authentication mechanisms, posing significant risks to enterprise security.
Mandiant's research on the 'Golden SAML' technique has highlighted significant vulnerabilities in Microsoft identity management.
The discovery during a recent red team engagement showed that certain configurations lead to active ADFS signing keys being left exposed.
When AutoCertificateRollover is disabled, and certificates are rotated manually, old certificates can still exist in Machine DPAPI, creating a 'ghost' record.
This configuration is prevalent in enterprise environments, allowing adversaries to exploit it without triggering alarms.
By accessing the exposed signing keys, attackers can authenticate as any user to SAML-federated applications, bypassing MFA and identity controls.
The low visibility of this attack method due to its avoidance of direct interactions with monitored components enhances its threat level.
Organizations should ensure that AutoCertificateRollover is enabled and conduct regular audits of their ADFS configurations.
Mandiant provides a detailed blueprint for defending against exploitation of this vulnerability, urging awareness and proactive measures.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Mandiant discovered that improper manual rotation of ADFS certificates can expose active signing keys in Machine DPAPI. This vulnerability allows attackers to forge SAML tokens and bypass authentication mechanisms, posing significant risks to enterprise security.