Auth token signing via Golden SAML

Tags

AAD

ATT&CK Tactic

Lateral Movement (TA0008)Credential Access (TA0006)

ATT&CK Technique

https://attack.mitre.org/techniques/T1606/002/

Incidents

APT29 targeting Microsoft 365 Solarigate: Solarwinds supply chain attack Peach Sandstorm Azure targeting

References

https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDFhttps://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452

Last edited

Jan 4, 2024 1:15 PM

Status

Finalized

In a Golden SAML attack, an adversary steals private keys from a target’s on-premises Active Directory Federated Services (AD FS) server and uses the stolen keys to mint a SAML token trusted by a target’s Microsoft 365 environment. If successful, a threat actor could bypass AD FS authentication and access federated services as any user.