Microsoft Defender for Identity: ADFSDump

Microsoft Defender for Identity: ADFSDump

Microsoft updated Microsoft Defender for Identity to detect the ADFSDump tool’s use, which was the initial tool used in the Solorigate campaign. This blog post will describe what the attack does and bypass Microsoft Defender for Identity detection using a tool I have written, including mitigations for the attack.

Active Directory Federation Services Authentication

To understand the attack, we first need to look at how Active Directory Federation Services (AD FS) works. Here is an oversimplified overview of the authentication using AD FS.

Image 1: AD FS Authentication Overview
  1. The user goes to https://portal.office.com and signs in with the username user@thalpius.com;
  2. Microsoft recognises the federation and sends a 302 HTTP response code, redirecting the user to the federated AD FS server ;
  3. The user identifies itself using a password on the Web Application Proxy used by AD FS;
  4. The Web Application Proxy sends the request to AD FS;
  5. AD FS authenticates the user by checking Active Directory if the user entered the correct credentials;
  6. AD DS sends the response of the authentication back to the AD FS server;
  7. AD FS signs a token using a token-signing certificate and sends it to the Web Application proxy;
  8. The Web Authentication Proxy sends the signed token to the user;
  9. The user presents the signed token to Microsoft 365 and can log in to the service.

Suppose there is a way to sign your tokens using a private key and token-signing certificate used by AD FS. In that case, you could impersonate the AD FS server and authenticate to federated services by presenting the signed token. Step 1 to 8 is not needed, and you can submit the forged token directly to the federated service. The federated service checks the token with the public key, and with the correct signed private key, the federated service authenticates the user.

The impersonation of an AD FS server is precisely what Doug Bienstock did. Doug Bienstock created a tool to obtain the token-signing certificate and private key to generate forged security tokens. The tool to obtain the token-signing certificate and private key is called ADFSDump. Since release 2.135 of Microsoft Defender for Identity, ADFSDump gets detected.

ADFS Info

For educational purposes, I created a tool to dump the private key and certificate and get undetected by Microsoft Defender for Identity. Some key features of my tool are:

  1. The date creation of the private key helps identify which key to use;
  2. The private keys are in the correct format;
  3. Microsoft Defender for Identity does not detect the attack.
Image 2: ADFS Info

Once you have obtained the private key and token-signing certificate, use ADFSSpoof to create the forged token.

Mitigation

The service account used by AD FS contains Service Principal Names. That means the account is vulnerable to Kerberoasting. Be sure the service account includes a strong and generated password, so it is less likely an attacker can brute-force the password.

Looking at the Administrative Tier Model, consider placing AD FS in the tier 0 scope.

An obvious but important one is monitoring. As I mentioned in my top 5, monitoring is crucial in any organization. An attacker needs to go through many steps in the kill chain before the attacker can extract the details. Monitoring should detect an attacker by then.

Conclusion

In my previous blog post, I mentioned that attackers could hop from on-premises to the cloud. The attack described in this blog post is another way for an attacker to jump from on-premises to the cloud. Once the on-premises environment is compromised, the attacker has many possibilities to hop to the cloud. Even though a lot of companies are focussing on the cloud, do not forget the on-premises environment.

Microsoft Defender

Microsoft Defender

Microsoft rebrands its enterprise security solutions to Microsoft Defender. Microsoft Defender is a holistic solution for what is known as Extended Detection and Response. This blog post will explain what is meant by Extended Detection and Response and go through the Microsoft Defender security name changes.

Extended Detection and Response is a solution that provides threat detection across multiple domains rather than the single point of view that Endpoint Detection and Response delivers. Endpoint Detection and Response uses machine learning and behavioral analysis to detect zero-day vulnerabilities looking at the behavior across a single security layer. Extended Detection and Response enables telemetry and behavioral analysis across numerous security layers.

Two Extended Detection and Response products from Microsoft Defender are Microsoft 365 Defender and Azure Defender. Microsoft 365 Defender is not a new product in the family. Microsoft 365 Defender is known as Microsoft Threat Protection. Microsoft 365 Defender uses a single unified portal, cross-domain hunting, for four products: Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Cloud App Security.

Figure 1: Microsoft Defender – Extended Detection and Response

Here is an example of an Extended Detection and Response incident: Suppose a potential threat identifies in Microsoft Defender for Office 365 as a “Potential phishing attack,” and around the same time, a potential threat is identified on the endpoint by Microsoft Defender for Endpoint. In that case, Microsoft 365 Defender will determine the risk and raise an alert, and creates an incident. The threat is not classified as potential anymore but as an incident due to detection across multiple domains.

Another added value of Extended Detection and Response is aggregation. Multiple threat encounters across various domains aggregates to less and manageable alerts, and those alerts aggregate to less and manageable incidents. Using aggregation, Security Operations Center does not need to go through all threat encounters, but they can focus on the more critical incidents. Using Microsoft 365 Defender makes it possible to execute advanced hunting using Kusto Query Language across multiple domains as well.

Last but not least, a reminder of the name changes within Microsoft Defender.

New product nameOld Product name
Microsoft Defender for IdentityMicrosoft Azure ATP
Microsoft Defender for EndpointMicrosoft Defender ATP
Microsoft Defender for Office 365Microsoft Office 365 ATP
Microsoft 365 DefenderMicrosoft Threat Protection
Azure Defender for ServersAzure Security Center Standard Edition
Azure Defender for IoTAzure Security Center for IoT
Azure Defender for SQLAdvanced Threat Protection for SQL
Microsoft Products Name Changes

Conclusion

Although Microsoft 365 Defender is not new, I like Microsoft 365 Defender as an Extended Detection and Response solution. The aggregation of alerts and advanced hunting makes it possible to get a better and more precise insight within the environment.

I had to get used to the name changes, but I am thrilled that Microsoft changes their products to a simpler naming scheme.