QOMPLX Knowledge: Understanding Golden SAML Forgery Attacks

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

QOMPLX Identity Assurance is the leader in detecting both Kerberos and SAML-based attacks, minimizing lateral movement and privilege escalation in the world’s largest networks. Learn more about how QOMPLX IA’s real-time cloud identity forgery detections restore trust in cloud authentication.

The attacks on federal government agencies and global firms by the attacker known as “UNC2452” (aka “Dark Halo,” “Sunburst,” “Sunspot”) have raised the specter of software supply chain attacks in which compromised software vendors become a conduit for placing malicious payloads within target environments.

That’s bad news. Close analysis of the SolarWinds Orion compromise and recent reports of further supply chain hacks suggest that they may be difficult - if not impossible - to prevent, especially in organizations with substantial and complex software ecosystems of proprietary and open source components.  However, other elements of the UNC2452 actor’s operation are more amenable to being managed and contained by security teams. Among those: attacks on federated Active Directory services including so-called “Golden SAML” attacks on web based applications.

[If you want to learn more about how QOMPLX can help your company spot signs that may signal an Active Directory or authentication compromise, contact our team now.]

This blog post will explain this well documented technique and talk about how organizations can take steps to limit its use, even as they expand the use of single sign on with federated services like hosted applications.

The Golden SAML Forgery

The Golden SAML attack was first discovered in 2017 by researchers at the firm CyberArk and described in a blog post by the company. As described by CyberArk, the attack targets ‘federated” environments that use the SAML (Security Assertion Markup Language) 2.0 protocol for single sign on. In these environments, credentials stored by a compromised identity provider (such as Active Directory) are extended to federated environments such as cloud based resources (Amazon Web Services, Microsoft Azure, Google Cloud) and applications (Office365, DropBox, etc.)  

One Among Many

It is worth noting that Golden SAML forgeries are just one type of "federated" identity attack on SAML. In 2018 and 2019, for example, QOMPLX demonstrated how taking over on-premise Active Directory via a Golden Ticket attack can yield effectively the same result as a Golden SAML attack, allowing an adversary to take over SAML-authenticated cloud resources. We also wrote about Golden Ticket attacks on Active Directory Federated Services.    

Microsoft ADFS a Target

While Golden SAML attacks can work against any identity provider that uses SAML for authentication, organizations  using Microsoft’s Active Directory Federated Services (AD FS) are a prime target, given the widespread use of AD FS. Rather than requiring users to maintain a roster of credentials and permissions for siloed cloud based environments and applications, AD FS allows Active Directory users to access a range of trusted environments with one set of credentials managed in Active Directory. The challenge of AD FS is that it extends weaknesses and vulnerabilities in Active Directory deployments to any federated environments, as well, regardless of the underlying security of those environments. In other words, AD FS allows successful compromises of Active Directory credentials via methods like Golden Ticket attacks to extend to any environment that trusts that Active Directory domain for single sign on (SSO).

As we noted, Golden SAML is just one type of forged credential attack. However, as its name suggests, it has many advantages for malicious actors. For one, adversaries can launch these attacks from anywhere - they need not be active on the domain controller to do so. Additionally, attackers have total control over the forged object. They can forge the username, the user’s permissions, the validity period for the response, though service providers may impose their own limits on federated sessions. The SAML response will also continue to work even if the password for the affected account is changed. It can also be used to bypass two-factor authentication for users.

How Golden SAML Attacks Work

Golden SAML attacks can be carried out against any identity provider that uses SAML assuming certain conditions are met.

First, Golden SAML attacks require attackers to have compromised token signing certificates to forge SAML tokens. In AD FS environments, this requires control over the AD FS user account, at a minimum, if not a domain administrator account. Optionally, with adequate permissions, an adversary might also create a new federation trust on an Active Directory Federation Services (AD FS) server and use it to generate their own token-signing certificate that would be trusted by other federated services.

Beyond that, attackers need to have the Active Directory Federated Services public certificate and the name of the identity provider (Identifier.AbsoluteUri) as well as the Role Name (IssuanceTransformRule). As we’ve discussed elsewhere, this information can easily be harvested from compromised environments using tools like Mimikatz and Powershell.

Launching a Golden SAML Attack

In a Golden SAML attack, the adversary forges a SAMLResponse object, which is a critical component of the SAML authentication process in which an identity provider (an Active Directory FS domain in this case) receives a SAML authentication request (SAML AuthnRequest) from a service provider (say, an application like DropBox or AWS) that a client is attempting to access.

In a typical exchange, an identity provider receives that request and then authenticates the user, creating a SAMLResponse containing an assertion and sending it back to the service provider. This assertion is signed or encrypted using the private key of the identity provider so that it can be verified by the service provider. This is the federated equivalent of the ticket granting ticket (TGT) created by a Kerberos Key Distribution Center (KDC).

In a Golden SAML attack, however, the attacker has obtained the key that signs the assertion in the SAMLResponse object or generated their own certificate and keys. They use that to generate and sign the SAMLResponse, independent of any request from the service provider. The service provider will verify the SAMLResponse and respond with a session token and access key that the attacker can use to authenticate to the federated service.

Preventing SAML Forgeries

Organizations that wish to prevent SAML forgeries including Golden SAML attacks have a number of tools and techniques at their disposal. Among them:

Manage Users Closely

Excessive user and administrator permissions are the biggest threat to your Active Directory security. Manage accounts, especially those with local administrator or administrator rights closely. Enforce the use of strong passwords and multi-factor authentication. Limit excessive permission grants with Just In Time/Just Enough Administration. Finally, limit privileged accounts to a small number of users.

Restrict Access to AD FS Server

Hardening your AD FS server from attack is a critical step in preventing SAML forgeries. Restrict permission to access the AD FS server to designated workstations within your environment.

Audit! Audit! Audit!

Organizations need to closely audit their environment and look for patterns of behavior that may indicate an attack or compromise in the making. Pay special attention to events related to authentication failure and application generated events.

Rotate Certificates Frequently

If you are concerned that a compromise may have taken place, rapidly cycling the token signing AD FS signing certificate will invalidate tokens generated using the compromised certificate.

If you want to learn more about how QOMPLX can help your company spot signs that may signal an Active Directory or authentication compromise, request a meeting with QOMPLX.

Learn More

Use the following form to request more information about QOMPLX detection of  SAML forgery attacks and other threats.