gcp Google Cloud Blog ·

ADFS signing key recovery via Machine DPAPI, bypassing MFA

blogsecuritygcpengineer
security announcement

Mandiant discovered a vulnerability where manually rotated Active Directory Federation Services (ADFS) signing keys can be exposed in Machine DPAPI, allowing attackers to forge SAML tokens. This 'ghost certificate' issue arises when AutoCertificateRollover is disabled and the WID database isn't updated after manual certificate rotation. The technique bypasses traditional defenses like LSASS monitoring and MFA, granting unauthorized access to federated applications.

  • Exposed ADFS signing keys in Machine DPAPI enable token forgery
  • Configuration drift creates 'ghost certificates' impacting security
  • Machine DPAPI protects keys resiliently but creates security risks
  • Attack vector avoids direct interaction with sensitive processes
Security (1)
  • Exposed ADFS signing keys in Machine DPAPI enable token forgery

    Attackers can recover active ADFS signing keys from the Machine DPAPI store when certificates are manually rotated without updating the WID database, a state known as configuration drift. This allows forging SAML assertions and bypassing multi-factor authentication for federated applications.

Notes (3)
  • Configuration drift creates 'ghost certificates' impacting security

    When ADFS AutoCertificateRollover is disabled and certificates are manually rotated, the WID database can retain references to old signing certificates ('ghost certificates'). This divergence from the active signing key can lead to rejected assertions and is flagged by Microsoft Event ID 385.

  • Machine DPAPI protects keys resiliently but creates security risks

    ADFS stores token-signing private keys in a machine-scoped key store protected by Machine DPAPI for operational resilience. However, this design allows sufficiently privileged local processes to recover the key material independently of the service account, potentially evading defenses focused on LSASS memory.

  • Attack vector avoids direct interaction with sensitive processes

    The discovered technique bypasses direct interaction with components like LSASS and the live ADFS service process, which are often heavily monitored. This can lead to lower visibility for security monitoring solutions focused on credential dumping or process-memory access.

Read the original announcement →

https://cloud.google.com/blog/topics/threat-intelligence/recovering-active-adfs-signing-keys-machine-dpapi/

Related releases