Detecting Office365 Azure AD Environment Backdoors


As a blue team, we won’t believe that the attackers can stay a long time on the user’s machine by attaining the user’s passwords without the user’s knowledge by not executing any malicious scripts or bypassing password spraying attempts, or by phishing attempts. But it’s highly possible by stealing AD FS server token-signing certificate to access Azure/Office365. This certificate is valid for a year by default, and it allows an attacker to log into Azure/Office365 as an AD user, despite password resets or MFA. As a result, the attacker maintains persistence and has a method of re-entering the environment yet avoiding detection.

This process is involved in the Golden SAML attack, the technique enables attackers to forge SAML responses and bypass ADFS authentication to access federated services. An attacker hijacks or gains access to the AD FS server, extracts the secret (SAML token), and uses it to obtain access to the Office365 Azure AD environment. Consider the fact that various attackers may use different tactics, but the fundamental remains the same: the attacker wants to take over AD FS and steal the SAML token. The attacker will be able to access the following resources using the SAML token:

  • Azure / Azure Active Directory
  • Office 365 is a cloud-based version of Microsoft Office
  • Applications in Azure (which they can further backdoor)
  • Defender Security Center is a service provided by Defender Security.

However, AD FS now only issues a new refresh token if the newer refresh token’s validity is longer than the prior token’s. A token’s maximum lifetime is 84 days, although AD FS maintains it valid for a 14-day sliding window. A new refresh token will not be given if the refresh token is valid for 8 hours, which is the standard SSO time.

What is ADFS?

  • Active Directory Federation Services provides a means for managing online identities and providing single sign-on capabilities. Microsoft 365 consists of various services like Microsoft Exchange, SharePoint, and Lync. Since Microsoft servers are running in the cloud, you cannot join their servers to your domain directly.
  • Since Microsoft 365 requires Active Directory environment, Microsoft creates a dedicated domain in the cloud for your subscription. ADFS can be used instead by setting up directory synchronization (using DirSyc tool) that will automatically create accounts in Microsoft’s domain that match the accounts within your local domain. 
  • For these synced accounts, some passwords associated with them could be an issue and here Active Directory Federation Services comes into play.

How attackers generate SAML token:

To generate a SAML token, attackers will go through several processes. The following is a step-by-step breakdown of the procedure:

1-Initial Access:

  • As a first step, the attacker will gain access to credentials of the server or workstation within the organization domain and will be on it. Since we now have a number of ways to attack, it is up to the attacker to decide how to attack.

Also Read: Cooking Malicious Morse Code with CyberChef

2-Attaining privileged account:

  • Obtaining/enumerating AD FS server administrators and process owner usernames will be the next stage. Because we have more enumeration tools to perform those activities, it is a simple procedure. The “process owner” account is the only one with the ability to “harvest” the SAML token. The SAML token is a security token that is used to authenticate users into the Office365/Azure environment.
  • SAML works by passing information about users, logins, and attributes between the identity provider and service providers. Each user logs in once to Single Sign On with the identify provider, and then the identify provider can pass SAML attributes to the service provider when the user attempts to access those services.

3-Gaining AD FS process owner account credential:

  • We can acquire the NTLM hashed password of the AD FS process owner account using Mimikatz, a credential dumping tool, or any other tool since the account will be harvested in the previous stage.

4-Logging & Staying in AD FS server:

  • The next step is to login into the AD FS server with AD FS process owner account using the credentials obtained in previous stage. This will differ depending on the actor and usually done with pass-the-hash method, but it can also be done with alternative methods.

5- Obtaining token-signing certificate from the AD FS server:

  • SAML tokens are used by AD FS servers to perform user authentication. When users authenticate to Office 365, Microsoft validates the SAML tokens by verifying that the token isn’t expired, that the token ImmutableID matches a user present in Azure AD and that the token signature is valid.
  • The goal of this attack is to obtain the token-signing certificate and private key used by AD FS to sign-in SAML tokens given for authentication. Once they have this, an attacker can log in, authenticate, and access Azure AD and Office 365 as any other AD user. This will allow authentication even if a user resets their AD password.
  • To logon as any user, the attacker simply needs to access the ImmutableID of each user – which is a unique identifier associated with each user in Azure AD. This ImmutableID can be fetched and viewed by any user regardless of permissions, granted that the user is a part of Azure AD or on-premises AD.
  • We have multiple ways to fetch this certificate by an automated tool to obtain ADFS Dump and by another method of stealing DB files manually like C:\\Windows\WID\Data\Adfsconfiguration.mdf & C:\\Windows\WID\Data\Adfsconfiguration_log.ldf. One more method is using powershell queries “SELECT ServiceSettingsData FROM IdentityServerpolicy.ServiceSettings”.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

6-Obtaining Distributed Key Manager & decrypting token-signing certificate:

  • The token-signing certificate is encrypted by default and must be decrypted using a “DKM,” or Distributed Key Manager. To use this, an attacker must first obtain the DKM in order to decrypt the certificate.
  • It is not difficult for the attacker to acquire access to the DKM at this point in the attack. This may be accomplished by querying the DKM certificate container with Powershell and then providing the results to a generic tool like Adfind.exe to extract the DKM.
  • An attacker can decode the token-signing certificate using the DKM using a variety of tools available online.

7- Generating a SAML token:

With the key/certificate pair in hand, the attacker can generate a signed security token(SAML token) that will allow them to log into Office365 as a user. This can be accomplished by sending the SAML token as a POST request by experimenting it in the tool Burpsuite.

Detecting Techniques:

Detection Method 1: While Exfiltrating of DB files:

  • The data exfiltration is the theft or unauthorized removal or movement of any data from a device.
  • Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption.
  • This can be detected by enabling proxy logs, enabling rules in EDR/doing a commandline analysis and by other signs of exfil on the disk.

Detection Method 2: For ADFS Lateral Movement:

  • While acquiring NTLM hashed password, typically done via PTH attack, we need to monitor windows security event id 4624 along with logon type 9, Authentication Package: Negotiate and process: seclogo.

Also Read: Latest Cyber Security News – Hacker News !

Detection Method 3: Credential dumping tools:

  • We can use EDR tool or can monitor commandline logging in sysmon. Attivo tool provides innovative defenses for protection against identity compromise, privilege escalation, and lateral movement attacks. Here we can set rule for credential dumping.

Detection Method 4: While stealing DKM Access:

  • Monitor windows Event ID 4662 because it will be logged on AD FS while DKM is accessed using powershell.
  • Introduce hunting for the indicators of ADFIND.

Detection Method 5: Forged SAML Request:

  • Azure AD Sign-In Logs vs AD FS Security Logs: – Usually it iterates through both these datasets to verify whether it matches. Please note that these may not be direct matches for each line because Azure AD sign-ins isn’t stored in the logs immediately.

Listed below are a few options for remediation:

  • Reissue certificates on the AD FS twice to destroy the stolen token and verify that the stolen certificate’s copy is no longer cached in Azure AD.
  • To ensure that users re-login with the new SAML tokens and that any potentially dangerous logged in accounts are invalid, force reauthetication for all users.

Also Read: Latest Ransomware CVEs – Vulnerabilities Abused by Ransomware Actors


There is always a backdoor that exists to assist attackers in gaining access to a company. It’s a good idea to put up a fence to keep unwelcome bulls out. Keep in mind that authentication from an internal IP can sometimes result in a fraudulent login If the ADFS is not properly configured with all detection methods, it will fail.


Previous articleDNS sinkholes to Prevent Malware? How did it work?
Next articleMalware Analysis Use Cases with ANY.RUN Sandbox
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here