The two famous tools were also introduced: ADFSDump and ADFSpoof.įor short, to export AD FS token signing certificate, two things are needed: AD FS configuration data and certificate encryption key.Īt late 2020, the world finally woke up after an attack against SolarWinds. Regardless of the hours spent trying to solve the mystery, I just couldn’tīut then came the TROOPERS19, and the wonderful presentation I am AD FS and So Can You byĭouglas Bienstock ( and Austin Baker ( Their seminal research finally revealed how to decrypt AD FS certificates! Was stored in the configuration database and encrypted with a key that was stored in AD. I also knew that it was possible to create SAML tokens to exploit this, as long I would have access token signing certificate. The property would be populated automatically for all synced user, for non-synced user this is possible to set manually by admins. The requirement was that the immutableId property When I found out that you could login in as any user of the tenant, regardless were they federated or not. I faced the first issues with the Office 365 / Azure AD identity federation in 2017, In this blog, I’ll explain the currently known TTPs to exploit AD FS certificates, and introduce a totally new technique to export the configuration data remotely. I’ve talked about AD FS issues for a couple years now, and finally, after the Solorigate/Sunburst, the world is finally listening □
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |