Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / ADFS

Golden SAML

This note documents detection patterns related to Golden SAML within Active Directory and federation environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
ADFS Logs1200Token issuedCriticalSAML token issued by ADFS to application.
ADFS Logs1202Token validationHighService provider validating SAML token.
Security4624Successful logonHighAuthentication via federated identity.
Security4769Kerberos service ticket requestMediumMay appear if attacker pivots back to AD resources.
Azure AD LogsSign-in eventsCriticalAuthentication via federated identity provider.
Sysmon1Process creationMediumExecution of tools interacting with ADFS configuration.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Unexpected SAML authenticationSAML tokens issued for unusual usersCriticalGolden SAML allows forging tokens for any user.
Authentication without ADFS loginAccess without corresponding ADFS authentication eventCriticalToken forged offline.
Use of privileged accounts via federationAdmin accounts authenticating through ADFSHighMay indicate forged token usage.
Token issuance outside normal patternsSAML tokens issued at unusual times or frequencyHighPotential abuse of federation trust.
ADFS certificate compromise indicatorsToken-signing certificate accessed or exportedCriticalKey requirement for Golden SAML attack.

Common Tools

ToolUsage
ADFSDumpExtracts ADFS configuration and token signing certificates.
ADFSpoofGenerates forged SAML tokens.
MimikatzExtracts ADFS signing certificates from memory or disk.
PowerShell ADFS modulesEnumerates federation configuration.
Custom SAML forging scriptsCreate forged tokens for authentication bypass.

Relevant Artifacts

  • ADFS event logs
  • Azure AD sign-in logs
  • Security logs (4624)
  • ADFS configuration database
  • Token-signing certificate files
  • Sysmon logs (process creation)
  • EDR telemetry detecting certificate access
  • Network logs for federation authentication

MITRE ATT&CK References

  • T1606 Forge Web Credentials
  • T1606.002 SAML Tokens
  • T1552 Unsecured Credentials

Decision Tree

  1. Is the suspicious event present?
    • Identify authentication events using SAML tokens.
  2. What host generated the authentication?
    • Determine source IP and system performing access.
  3. Is the account expected to authenticate through federation?
    • Investigate normal authentication patterns.
  4. Pivot:
    • Federation logs → analyze token issuance events.
    • Certificate access → investigate token signing certificate exposure.
    • Cloud logs → review Azure AD sign-in activity.
  5. Confirm exploitation
    • Determine whether forged SAML tokens were used for authentication.

Example Detection Templates

KQL

SigninLogs
| where AuthenticationDetails contains "Federated"

SecurityEvent
| where EventID == 4624
| summarize count() by Account, IpAddress, bin(TimeGenerated,5m)

EQL

authentication where authentication.type == "federated"

Sigma

title: Suspicious Federated Authentication
id: golden-saml-detection
status: experimental
description: Detects unusual federated authentication activity
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    AuthenticationRequirement: federated
  condition: selection
fields:
  - UserPrincipalName
  - IPAddress
falsepositives:
  - Legitimate federated authentication
level: high
tags:
  - attack.persistence
  - attack.credential_access

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
Certificate protectionSecure ADFS token signing certificatesCriticalPrevents token forgery.
MonitoringAlert on unusual federated authenticationHighDetects potential abuse.
Key rotationRegularly rotate token signing certificatesHighLimits persistence window.
Least privilegeRestrict access to ADFS serversHighReduces risk of certificate compromise.
Threat huntingReview authentication patterns across cloud servicesMediumDetects abnormal activity.