Tags
AAD
ATT&CK Tactic
Lateral Movement (TA0008)Credential Access (TA0006)
ATT&CK Technique
Incidents
References
Last edited
Jan 4, 2024 1:15 PM
Status
Finalized
In a Golden SAML attack, an adversary steals private keys from a target’s on-premises Active Directory Federated Services (AD FS) server and uses the stolen keys to mint a SAML token trusted by a target’s Microsoft 365 environment. If successful, a threat actor could bypass AD FS authentication and access federated services as any user.