Writing Your Own Ticket to the Cloud Like APT: A Dive to AD FS Attacks, Detections, and Mitigations

Microsoft Active Directory Federation Services (AD FS) is a technology often used to implement the identity federation for Azure AD. As with any other identity federation solution supported by Azure AD, it is based on industry standards, such as cryptographically signed Security Assertion Markup Language (SAML) tokens. To prevent attackers from altering or counterfeiting security tokens and gaining unauthorized access to federated resources, federation servers use a token-signing certificate. By default, this token-signing certificate is stored in the AD FS configuration database and encrypted using Distributed Key Manager (DKM) APIs.

In the last couple of years, we have witnessed state-sponsored threat actors like NOBELIUM compromising AD FS token-signing certificates by accessing the AD FS configuration database and the DKM master key. Compromising token-signing the certificates allows them to impersonate any user in a federated environment using a technique known as the Golden SAML. Due to the high adoption rate, the AD FS remains a lucrative target for the years to come.

This article discusses the concept of writing a ticket to the cloud like APT, and how to defend against AD FS attacks, detections, and mitigations. It begins by introducing two senior security researchers, Diego and Roberto, who explain that attackers think in graphs, while defenders think in lists, and this is why attackers often win. They then discuss the statistics of AD FS usage, and how it is still a popular choice for many organizations.

The article then dives into the technical aspects of AD FS attacks, explaining the two options for token sign certificates, either managed with the default one or custom certificates, and the different ways to access the configuration database, such as via a name pipe or SQL Server. It also explains the different operations, artifacts, data sources, and mitigations associated with each of these methods.

The article then explains how to detect and mitigate AD FS attacks. It explains that system locks and application logs can be used to monitor name pipe connections, and that a survey audit and database audit specification can be used to audit users logging into the SQL database and the queries that are executed. It also explains how to enable logging manually, and how to use dotnet reflection to access the AD FS configuration. Additionally, it explains how to protect against cold ensemble attacks by understanding the different operations, artifacts, data sources, and mitigations associated with each of these methods, and to monitor name pipe connections and audit users logging into the SQL database.

The article also explains how to detect and mitigate malicious activity related to the configuration of a database. It explains how to use Powershell to capture events and parse MC logs, as well as how to use synchronous JSON config to liberate the same synchronization process. It also explains how to use the policy store transfer service, which is a WCF service, to validate network connections and how to use security auditing to get user context. Additionally, it explains how to use ADFS logs to get information about the service model and authentication, as well as how to enable additional WCF services. Finally, it explains how to use logman to create a trace and analyze it offline, as well as how to use the 121 event to map the network connection to the service.

The article also discusses the various methods attackers can use to gain access to the Active Directory Federation Services (ADFS) key. It outlines the steps attackers can take to gain access to the key, including using .NET reflection, accessing the ADFS configuration setting as a .NET object,

📓 Writing Your Own Ticket to the Cloud Like APT: A Dive to AD FS Attacks, Detections, and Mitigations

👉🏽 In the last couple of years, we have witnessed state-sponsored threat actors like NOBELIUM compromising AD FS token-signing certificates by accessing the AD FS configuration database and the DKM master key. Compromising token-signing the certificates allows them to impersonate any user in a federated environment using a technique known as the Golden SAML. Due to the high adoption rate, the AD FS remains a lucrative target for the years to come. 👉🏽 Outlines methods attackers can use to gain access to the ADFS key and certs. 👉🏽 Diving into technical aspects of AD FS attacks and options for token signed certificates. 👉🏽 Examining different ways to access configuration databases, including named pipes and SQL Server. 👉🏽 Operations, artifacts, data sources, and mitigations associated with attacks. 👉🏽 Details on how to detect and mitigate AD FS attacks using system audit logs and application logs.

source link: https://youtu.be/NqCqfBCV_18

summarized article: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/writing-your-own-ticket-to-the-cloud-like-apt-a-dive-to-ad-fs-attacks-detections-and-mitigations

#ADFSattacks #AzureAD #NOBELIUM #CloudSecurity