Golden SAML Attack

A Golden SAML attack is a sophisticated cyberattack technique threat actors use to forge valid Security Assertion Markup Language (SAML) authentication responses. This allows them to bypass traditional authentication mechanisms, including multi-factor authentication (MFA), and gain unauthorized, persistent access to various federated services and cloud applications.

To understand a Golden SAML attack, it's essential first to grasp the basics of SAML authentication:

SAML Authentication Explained

SAML is an XML-based open standard that enables Single Sign-On (SSO) by exchanging authentication and authorization data between two parties:

1. Identity Provider (IdP): This is the entity that authenticates the user (e.g., Active Directory Federation Services (AD FS), Okta, Azure AD). It verifies a user's credentials and issues the service provider SAML assertions (tokens).

2. Service Provider (SP): This is the application or service the user wants to access (e.g., Office 365, Salesforce, AWS). It trusts the IdP to authenticate users and relies on the SAML assertion to grant access.

3. User Agent (Browser): The user's web browser facilitates the communication between the IdP and SP.

Normal SAML Authentication Flow:

1. A user attempts to access a service provider (SP).

2. The SP redirects the user's browser to the identity provider (IdP) for authentication.

3. The user enters their credentials (username, password, possibly MFA) on the IdP's login page.

4. If authentication is successful, the IdP generates a cryptographically signed SAML assertion (a digitally signed XML document) containing information about the user's identity and authorization.

5. The IdP sends this SAML assertion back to the user's browser.

6. The user's browser then sends the SAML assertion to the SP.

7. The SP validates the digital signature of the SAML assertion using the IdP's public signing certificate. The SP grants the user access if the signature is valid and the assertion contains the necessary information.

How a Golden SAML Attack Works

A Golden SAML attack exploits the trust established between the IdP and SP. The core idea is for an attacker to obtain the IdP's token-signing certificate and its corresponding private key. Once they have this crucial key material, they can forge legitimate-looking SAML assertions for any user within the organization's federation, without needing that user's password or going through the normal authentication process.

Here are the detailed steps involved in a Golden SAML attack:

1. Initial Foothold and Privilege Escalation: The attacker must first gain a foothold in the victim's network, typically through phishing, malware, or exploiting a vulnerability. Their goal is to gain administrative access to the Active Directory Federation Services (AD FS) server or the system hosting the IdP's signing certificate.

2. Compromise and Extraction of the Token-Signing Certificate: This is the most critical step. The attacker must extract the IdP's token-signing certificate, specifically its private key. This key is what the IdP uses to sign all SAML assertions digitally, proving their authenticity. Attackers use various tools and techniques to achieve this, such as:

   • Compromising the AD FS service account.

   • Dumping the certificate and private key from memory or the AD FS configuration database.

   • Exploiting misconfigurations that allow the export of the private key.

3. Gathering User Information (Claims): To forge a convincing SAML assertion, the attacker must know specific attributes or claims about the user they want to impersonate. This includes things like the user's unique identifier (e.g., ObjectGUID, UserPrincipalName), roles, and group memberships. This information can often be gathered from Active Directory or the AD FS configuration.

4. Forging the SAML Assertion: The attacker crafts a malicious SAML assertion with the stolen private key and the target user's attributes. This forged assertion can claim to be any user within the federated environment, assign arbitrary privileges, and even set an extended validity period, granting persistent access.

5. Signing the Forged Assertion: The attacker uses the compromised private key to digitally sign the forged SAML assertion. The assertion appears legitimate because the signature matches the public key that the service providers trust.

6. Presenting the Forged Assertion to the Service Provider: The attacker sends this signed, forged SAML assertion directly to the target service provider. The SP, believing the assertion came from the legitimate IdP, validates the signature and grants the attacker access as the impersonated user.

Key Characteristics and Impact

• Bypasses MFA: Since the attacker forges the SAML assertion after the point where MFA would typically occur (at the IdP), MFA becomes ineffective against a Golden SAML attack. The forged assertion is already "authenticated."

• Persistent Access: The forged SAML tokens can be given long validity periods, allowing attackers to maintain access for extended periods without needing to re-authenticate or interact with the compromised IdP server again.

• Impersonation of Any User: With the signing key, an attacker can impersonate virtually any user within the organization's federated environment, from regular users to highly privileged administrators.

• Difficult to Detect: Because the forged tokens are cryptographically valid, service providers have difficulty distinguishing them from legitimate tokens. Detection often relies on identifying the initial compromise of the IdP server or anomalous user behavior after the attack.

• Broad Scope of Impact: Organizations that use SAML for single sign-on across numerous on-premises and cloud applications are highly vulnerable, as a single compromise of the IdP's signing certificate can grant access to a vast array of resources.

• No Interaction with IdP During Attack: After the initial compromise and theft of the signing key, the attacker doesn't need to interact with the IdP server to generate tokens, making it harder to trace their activity.

Mitigation Strategies

Mitigating Golden SAML attacks requires a multi-layered approach focusing on protecting the token-signing certificate and detecting suspicious activity:

• Strongest Protection for AD FS/IdP Servers: Treat AD FS servers and other Identity Providers with the same level of security as domain controllers. This includes:

  • Strict Access Controls: Limit administrative access to these servers to an absolute minimum.

  • Patch Management: Keep all software on these servers fully patched and up-to-date.

  • Endpoint Detection and Response (EDR): Implement robust EDR solutions to monitor suspicious activity, such as attempts to access or export private keys.

  • Least Privilege: Ensure service accounts have only the necessary permissions.

• Secure Certificate Management:

  • Hardware Security Modules (HSMs): Store the token-signing private key in an HSM. HSMs are tamper-resistant physical devices designed to protect cryptographic keys, making it extremely difficult for attackers to extract them.

  • Regular Certificate Rotation: Periodically rotate the token-signing certificate. This limits an attacker's window of opportunity if a key is compromised.

  • Monitor Certificate Export Events: Alert us of any attempts to export the token-signing certificate.

• Enhanced Logging and Monitoring:

  • AD FS/IdP Event Logs: Monitor AD FS event logs (e.g., Event ID 307 for configuration changes, and relevant events for certificate access) for suspicious activity.

  • Security Information and Event Management (SIEM): Ingest logs from AD FS, Active Directory, and service providers into a SIEM for centralized monitoring, correlation, and anomaly detection. Look for unusual login patterns, impossible travel, or access from unfamiliar locations.

• Network Segmentation: Isolate AD FS servers in a highly secure network segment to limit lateral movement if a different part of the network is compromised.

• Continuous Vulnerability Assessment: Regularly audit and assess the security posture of your IdP infrastructure for misconfigurations and vulnerabilities.

• Incident Response Plan: Have a well-defined incident response plan specifically for identity compromises, including steps for rotating compromised certificates and investigating the extent of the breach.

By implementing these measures, organizations can significantly reduce their risk of falling victim to a Golden SAML attack.

ThreatNG, an all-in-one external attack surface management, digital risk protection, and security ratings solution, offers comprehensive capabilities to help organizations defend against sophisticated attacks like Golden SAML.

Here's how ThreatNG would help, focusing on its external discovery, external assessment, reporting, continuous monitoring, investigation modules, and intelligence repositories, as well as its synergy with complementary solutions:

ThreatNG's Role in Combating Golden SAML Attacks

1. External Discovery: ThreatNG performs purely external, unauthenticated discovery without needing any connectors. While Golden SAML is an internal attack that leverages compromised credentials, ThreatNG's external discovery can identify potential initial footholds that attackers might use to access an organization's network and eventually compromise an Identity Provider (IdP) server.

• Examples:

  • Identifying Weak Entry Points: ThreatNG can discover internet-facing assets like forgotten web applications, exposed development environments, or open ports that an attacker could exploit to gain initial network access. For example, if an organization has an inadvertently exposed administrative interface for a legacy system, ThreatNG would discover this.

  • Mapping Exposed Infrastructure: It can map out an organization's digital presence, including subdomains and associated IP addresses, which helps understand the attack surface an adversary might target.

2. External Assessment: ThreatNG performs various external assessment ratings that, while not directly detecting a Golden SAML attack in progress, can highlight vulnerabilities that lead to the initial compromise necessary for such an attack.

• Web Application Hijack Susceptibility: This assesses a web application's susceptibility to hijacking by analyzing external attack surface and digital risk intelligence, including domain intelligence, to find potential entry points.

  • Example: If an organization's AD FS login page (which is a web application) has vulnerabilities that ThreatNG identifies, such as outdated software or weak configurations, an attacker could exploit these to gain a foothold, potentially leading to the compromise of the IdP.

• Subdomain Takeover Susceptibility: ThreatNG evaluates this by analyzing subdomains, DNS records, and SSL certificate statuses.

  • Example: A subdomain takeover could allow an attacker to host malicious content or phishing pages under the organization's legitimate domain, which could be used to trick employees into revealing credentials that facilitate the initial breach.

• BEC & Phishing Susceptibility: Derived from sentiment, financials, domain intelligence (domain name permutations, Web3 domains, and email security presence), and dark web presence (compromised credentials).

  • Example: ThreatNG might identify that an organization's domain is highly susceptible to phishing due to a lack of DMARC, SPF, and DKIM records. This makes it easier for attackers to send convincing phishing emails that could lead to an employee clicking a malicious link and installing malware, often the first step in an advanced persistent threat (APT) campaign that could culminate in a Golden SAML attack. ThreatNG's "Dark Web Presence" also flags compromised credentials, which could be used in credential stuffing attacks to gain initial access.

• Data Leak Susceptibility: This is derived from external attack surface and digital risk intelligence, including Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), and Domain Intelligence (DNS and Email Intelligence).

  • Example: If ThreatNG identifies sensitive data exposed in public cloud storage buckets or compromised credentials on the dark web, this could indicate a previous breach or ongoing exposure that an attacker could use to gain initial access to the network or gather information for social engineering.

• Cyber Risk Exposure: This score considers domain intelligence parameters like certificates, subdomain headers, vulnerabilities, and sensitive ports. Code Secret Exposure, which discovers code repositories and sensitive data, is also factored in.

  • Example: ThreatNG could identify an exposed AD FS server with unpatched vulnerabilities (e.g., CVEs like CVE-2022-26923 related to AD FS privilege escalation) or sensitive ports left open. This significantly increases the risk of an attacker compromising the server and stealing the token-signing certificate. Furthermore, if the AD FS configuration or scripts containing sensitive credentials are inadvertently committed to a public code repository, ThreatNG's Code Secret Exposure capability would detect this.

• Breach & Ransomware Susceptibility: Derived from domain intelligence (exposed sensitive ports, private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events), and sentiment/financials.

  • Example: High susceptibility here would indicate an environment already prone to breaches, making the compromise of an IdP server more likely. Suppose ThreatNG flags exposed sensitive ports on an AD FS server or identifies that the organization has active, compromised credentials on the dark web. In that case, these are direct indicators of high risk.

3. Reporting: ThreatNG provides various reports, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings.

• Example: After an assessment, ThreatNG would generate a prioritized report highlighting the most critical vulnerabilities on externally accessible systems, such as exposed AD FS servers, misconfigured DNS records, or leaked credentials. This report would guide security teams on which external exposures to remediate first to prevent the initial compromise phase of a Golden SAML attack.

4. Continuous Monitoring: ThreatNG monitors an organization's external attack surface, digital risk, and security ratings.

• Example: If an AD FS server's configuration changes unexpectedly or if a new, vulnerable service is accidentally exposed to the Internet, ThreatNG's continuous monitoring would detect these changes and update the security rating, alerting the security team to potential new attack vectors that could be used to facilitate a Golden SAML attack.

5. Investigation Modules: ThreatNG's detailed investigation modules provide granular insights into potential vulnerabilities that could be precursors to a Golden SAML attack.

• Domain Intelligence: This includes Domain Overview, DNS Intelligence, Email Intelligence, WHOIS Intelligence, and Subdomain Intelligence.

  • Example:

    • DNS Intelligence: ThreatNG can perform Domain Record Analysis, including IP and Vendor/Technology Identification. This helps identify if AD FS servers are exposed to the internet and what technologies they use, which can be cross-referenced with known vulnerabilities.

    • Email Intelligence: It identifies email security presence (DMARC, SPF, DKIM records) and provides format predictions and harvested emails. Weak email security increases the success rate of phishing attacks, a common initial vector for gaining network access.

    • Subdomain Intelligence: This module can identify HTTP Responses, Header Analysis (Security and Deprecated Headers), Server Headers (Technologies), and various exposed contents like Admin Pages, APIs, and Development Environments. It also identifies sensitive Ports (e.g., FTP, Telnet, SSH, RDP) and Known Vulnerabilities.

      • Detailed Example: If an organization's AD FS instance is hosted on a server that has an exposed RDP port with a weak password identified through brute-force or dictionary attacks, ThreatNG would flag this. Additionally, if the AD FS server is running outdated software with known CVEs, ThreatNG's Subdomain Intelligence, combined with its Vulnerability Intelligence (DarCache Vulnerability), would highlight these specific vulnerabilities, making it clear to the security team that this server is a high-risk target.

• Sensitive Code Exposure: This discovers public code repositories and uncovers digital risks like access credentials, cloud credentials, security credentials (cryptographic keys), and various configuration files.

  • Example: An attacker might steal the AD FS token-signing certificate by compromising a developer's workstation if that developer accidentally pushed a backup of the certificate (including its private key) into a public or poorly secured code repository. ThreatNG's "Sensitive Code Exposure" module would actively scan such repositories and identify the presence of these highly sensitive keys or related configuration files, such as "Potential cryptographic private key," "Chef private key," or "AWS Secret Access Key," that could lead to access to IdP infrastructure. This provides a direct alert to a critical exposure.

• Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, impersonations, and open exposed cloud buckets. It also lists SaaS implementations like Azure Active Directory and Okta.

  • Example: While ThreatNG doesn't directly prevent the forgery of SAML tokens, it can identify misconfigured cloud services (e.g., overly permissive AWS S3 buckets containing sensitive IdP configuration files or backups) that an attacker could use as a stepping stone to gain access to an IdP server. If an organization uses Azure Active Directory as its IdP, ThreatNG's ability to evaluate its exposure and identify associated compromised credentials on the dark web (via DarCache Rupture) provides crucial pre-attack intelligence.

6. Intelligence Repositories (DarCache): ThreatNG's continuously updated intelligence repositories provide vital context and early warnings.

• Compromised Credentials (DarCache Rupture):

  • Example: If credentials belonging to an AD FS server administrator appear on the dark web, DarCache Rupture would flag this. This allows the organization to force password resets and investigate potential breaches before an attacker can use these credentials to compromise the IdP server and launch a Golden SAML attack.

• Vulnerabilities (DarCache Vulnerability): This includes NVD (Attack Complexity, Impact Scores, CVSS Score), EPSS (likelihood of exploitation), and KEV (actively exploited vulnerabilities). It also provides Verified Proof-of-Concept (PoC) Exploits.

  • Example: ThreatNG, through DarCache Vulnerability, would identify known vulnerabilities in AD FS or Windows Server (the underlying OS for AD FS) that could lead to privilege escalation or remote code execution. For instance, if an IdP server has a critical vulnerability listed in KEV (Known Exploited Vulnerabilities) (e.g., a vulnerability allowing unauthenticated access or privilege escalation), ThreatNG would highlight this as an immediate threat with active exploits, urging urgent patching. The linked PoC exploits would help security teams understand the attack vector.

Synergy with Complementary Solutions

ThreatNG's external focus complements internal security solutions, creating a more robust defense against multi-stage attacks like Golden SAML.

• With Identity and Access Management (IAM) Solutions (e.g., Microsoft Azure AD, Okta, Ping Identity):

  • How ThreatNG Helps: ThreatNG's Cloud and SaaS Exposure module helps identify misconfigurations or accidental exposures related to the organization's cloud-based IAM solutions. It can also uncover compromised credentials associated with these services via DarCache Rupture.

  • Complementary Action: While ThreatNG identifies external risks, the IAM solution enforces strong authentication (MFA) and access policies. If ThreatNG detects an external exposure that could compromise an identity, the IAM solution's robust internal controls, such as Conditional Access policies and continuous authentication, provide a compensating control by making it harder for an attacker to use stolen credentials or tokens if the initial external compromise somehow bypasses ThreatNG's detection.

• With Endpoint Detection and Response (EDR) Solutions:

  • How ThreatNG Helps: ThreatNG identifies external attack vectors that could lead to an endpoint compromise, which might then be used to pivot to the AD FS server. For example, it might flag a high "BEC & Phishing Susceptibility" score.

  • Complementary Action: Once an attacker gains initial access, an EDR solution on the AD FS server or other internal systems would be crucial for detecting malicious activities like credential dumping, lateral movement, or attempts to export the token-signing private key. ThreatNG provides the intelligence to reduce the likelihood of the initial breach, while EDR focuses on detecting and responding to post-exploitation activities.

• With Security Information and Event Management (SIEM) Systems:

  • How ThreatNG Helps: ThreatNG provides external threat intelligence, vulnerability data, and attack surface findings that can be fed into a SIEM. For instance, its "Cyber Risk Exposure" and "Breach & Ransomware Susceptibility" scores and the underlying data from DarCache Vulnerability or DarCache Rupture offer valuable context for alerts.

  • Complementary Action: A SIEM collects and correlates logs from various internal sources, including AD FS event logs. By combining ThreatNG's external context with internal logs (e.g., unusual login patterns to AD FS, attempts to modify certificate stores, or strange administrative actions on the AD FS server), a SIEM can provide a more comprehensive picture and potentially detect the internal stages of a Golden SAML attack or the initial compromise of the IdP server more effectively. For example, if ThreatNG identifies a high-risk external vulnerability on an AD FS server, and the SIEM flags unusual login attempts from an internal source to that server, it creates a stronger alert.

In summary, ThreatNG is a crucial first line of defense and continuous intelligence provider for an organization's external attack surface. While a Golden SAML attack occurs post-initial breach and involves internal key material, ThreatNG's extensive discovery and assessment capabilities help to identify and mitigate the external vulnerabilities that attackers often use to gain that initial foothold and move towards compromising critical identity infrastructure. Its comprehensive reporting, continuous monitoring, detailed investigation modules, and rich intelligence repositories provide actionable insights to proactively reduce the attack surface and digital risk, making it significantly harder for threat actors to execute the initial stages of such a sophisticated attack.