Google Cloud Blog
Follow
The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI
The "Golden SAML" technique allows attackers to forge identity assertions in Microsoft environments. By compromising an ADFS token-signing certificate's private key, an attacker can bypass security measures and impersonate any user. A new attack vector has emerged where configuration drift during manual certificate rotation can expose active signing keys in Machine DPAPI. This occurs when AutoCertificateRollover is disabled and the ADFS service uses a new certificate without updating the WID configuration database.This creates a "ghost" certificate entry that is no longer used for token signing. The active signing key, however, resides in the system's machine-scoped cryptographic store, protected by Machine DPAPI. Successfully retrieving this key enables attackers to forge valid SAML assertions, granting unauthorized access to SAML-federated applications. This method evades typical monitoring focused on LSASS and live ADFS processes.Attackers can exploit this by accessing the machine key store and related DPAPI artifacts. The private key is persisted in the machine-scoped key store, protected by Machine DPAPI for operational resilience. This resilience, however, means a privileged local process can recover the key material. The retrieved key can then be used to forge a SAML assertion, impersonating a high-privilege user like a Global Administrator.Defenders should monitor operating system cryptographic operations and identity issuance. SACL-based object access monitoring on specific file paths can provide supporting evidence. Inconsistencies in ADFS token issuance logs and federated identity monitoring in Entra ID are also crucial. Mitigation involves treating ADFS as Tier 0 infrastructure and considering hardware-backed key protection with Hardware Security Modules. Using gMSA for ADFS services can also reduce operational drift from manual credential management. Strict Tier 0 administrative controls are essential for ADFS servers.