ADFS signing key recovery via Machine DPAPI, bypassing MFA
Mandiant discovered a vulnerability where manually rotated Active Directory Federation Services (ADFS) signing keys can be exposed in Machine DPAPI, allowing attackers to forge SAML tokens. This 'ghost certificate' issue arises when AutoCertificateRollover is disabled and the WID database isn't updated after manual certificate rotation. The technique bypasses traditional defenses like LSASS monitoring and MFA, granting unauthorized access to federated applications.
- →Exposed ADFS signing keys in Machine DPAPI enable token forgery
- →Configuration drift creates 'ghost certificates' impacting security
- →Machine DPAPI protects keys resiliently but creates security risks
- →Attack vector avoids direct interaction with sensitive processes
Security (1) ›
- Exposed ADFS signing keys in Machine DPAPI enable token forgery
Attackers can recover active ADFS signing keys from the Machine DPAPI store when certificates are manually rotated without updating the WID database, a state known as configuration drift. This allows forging SAML assertions and bypassing multi-factor authentication for federated applications.
Notes (3) ›
- Configuration drift creates 'ghost certificates' impacting security
When ADFS AutoCertificateRollover is disabled and certificates are manually rotated, the WID database can retain references to old signing certificates ('ghost certificates'). This divergence from the active signing key can lead to rejected assertions and is flagged by Microsoft Event ID 385.
- Machine DPAPI protects keys resiliently but creates security risks
ADFS stores token-signing private keys in a machine-scoped key store protected by Machine DPAPI for operational resilience. However, this design allows sufficiently privileged local processes to recover the key material independently of the service account, potentially evading defenses focused on LSASS memory.
- Attack vector avoids direct interaction with sensitive processes
The discovered technique bypasses direct interaction with components like LSASS and the live ADFS service process, which are often heavily monitored. This can lead to lower visibility for security monitoring solutions focused on credential dumping or process-memory access.
https://cloud.google.com/blog/topics/threat-intelligence/recovering-active-adfs-signing-keys-machine-dpapi/
Related releases
- Google Cloud C4N instances achieve GA for optimized network and storage I/O Google Cloud Blog ·
- Google Cloud Recognized as Leader in Gartner AI Infrastructure Magic Quadrant Google Cloud Blog ·
- Google's Gemini Startup Forum Selects 33 Cybersecurity Startups Google Cloud Blog ·
- GCP Cloud Router BGP route policies: Top 3 customer use cases Google Cloud Blog ·
- Google Cloud Accelerate AI with Cloud Run Roadshow 2026 Google Cloud Blog ·
- Guide to publishing AI agents in Gemini Enterprise and Google Cloud Marketplace Google Cloud Blog ·