SAML Post-Intrusion Attack Mirrors ‘Golden Ticket’

A proof-of-concept attack demonstrates how adversaries can abuse the Security Assertion Markup Language framework to go unnoticed and assume multiple user identities.

Researchers at CyberArk Labs have created a post-intrusion attack technique known as a Golden SAML that could allow an attacker to fake enterprise user identities and forge authentication to gain access to valuable cloud resources in a federation environment.

“Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” according to CyberArk Labs who revealed the attack technique this week.

Researchers said this Golden SAML attack technique mirrors in many ways how the notorious Golden Ticket attacks work.

“The name resemblance is intended, since the attack nature is rather similar. Golden SAML introduces to a federation the advantages that Golden Ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” according to a CyberArk Labs.

Golden Ticket is a type of attack against an IT infrastructure’s authentication protocols. Similar to Pass-the-Hash, Overpass-the-Hash and Pass-the-Ticket, a Golden Ticket attack is considered the most invasive because it provides an adversary with unrestricted access and control of an IT landscape via manipulation of the Windows Server Kerberos authentication framework.

Instead of targeting the Windows Server Kerberos, a Golden SAML attack leverages the Security Assertion Markup Language 2.0 (SAML) protocol. SAML is an open standard for exchanging authentication and authorization data between an identity provider and a service provider.

“Golden SAML poses serious risk because it allows attackers to fake an identity and forge authentication to any cloud app (Azure, AWS, vSphere, etc.) that supports SAML authentication. Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” researchers wrote.

SAML assertions are trusted and signed via a specific RSA key stored with an identity provider environment.

The prerequisites of such attacks, however, are considerable. Among other things, hackers will need the private key that signs the SAML objects, an Active Directory Federation Services user account, token-signing private key, an identity provider (IdP) public certificate and an IdP name.

Attackers must also gain access to where the identity management is taking place in order to gain access to those resources. Sometimes a third party handles the SAML key management, other times it is hosted within a company’s own domain.

“Once the attacker has gained access to this key, the attacker can create whatever SAML authentication object they want. They can be any user on the targeted service with any permissions on the system that they desire as long as they sign the SAML assertion with the stolen key,” said Shaked Reiner, a security researcher with CyberArk Labs in an interview with Threatpost.

Similar to Microsoft’s Kerberos based environments that enables Golden Ticket to work, a fix for Golden SAML is not trivial. “There isn’t anyone to blame here, but if you are using SAML you need to be aware of this problem,” said Doron Naim, senior security researcher with CyberArk Labs.

Microsoft doesn’t consider this a vulnerability because in order to carry out an Golden SAML attack an adversary must already of compromised a company’s network and have domain admin access, Naim said.

“As for the defenders, we know that if this attack is performed correctly, it will be extremely difficult to detect in your network,” researchers wrote. “We recommend better monitoring and managing access for the ADFS account, and if possible, auto-rollover the signing private key periodically, making it difficult for the attackers.”

Suggested articles


  • A. King on

    Sounds like a great reason to go back to having passwords for everything, and buy Cyberark's privileged account management system. Or... Rather than doing that, do your PKI system a favor, and use an HSM that doesn't allow export of private keys.
  • ASmith on

    Everyone should be storing the keys to the kingdom for a Certificate Authority, SAML Server or Vault in a security hardware device such as Smart Card, TPM or HSM or at least follow Microsoft best practice and only allow Smart Card login to Tier 0 systems, eg. domain controllers and other authentication servers.
  • Headslap Emoji on

    *eyeroll* so you are telling us that if you are smart enough to compromise access to AD or an IdP then the protocol they use may also be compromised. Thanks for the insight, maybe next time put a disclaimer at the beginning warning the reader of the utterly common sense that is about to follow. In the words of my teenage daughters...DUH.
  • Sixto on

    That research has no sense. If you control the IdP (ADFS) you dont need to generate gold SAMLResponse.. you can keylog users credentials from the authentication process and use them on IdP to access any connected service. Or if you have access to private keys... you can take private key used for HTTPs, sniff the traffic, decrypt it and take users credentials (old school stuff) dont need to play with SAML at all if you already own the IdP machine.
  • Jason T on

    I fail to see the similarities with the Kerberos Golden Ticket attack. This is nothing more than a post-exploitation user impersonation technique. I'm not sure it even qualifies as an "attack technique".

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.