Max Keasley
Max is a Security Consultant working at WithSecure with a speciality in Microsoft and macOS ecosystems. He has 4 years of security experience with an interest in reverse engineering, operating system internals and low-level security.
Sessions
Active Directory Federation Services (AD FS) is a Microsoft technology providing Active Directory users with federated SSO access to applications located within and across organisational boundaries, and to cloud applications. AD FS is an attractive target for threat actors, as it holds the keys to impersonating any user on any federated service.
Due to the high impact of a compromise, AD FS servers are often protected to the same degree as Domain Controllers and other "Tier 0" services. The configuration database used by the AD FS service is often located on a SQL Server cluster along with the databases of other, lower tier, services, however. This configuration exposes AD FS to attacks from users with Database Administrator (dba) privileges or threat actors who have compromised the SQL Server host some other way.
While previous attacks against AD FS federated logins (e.g. the MagicWeb malware[1]) have required compromising the AD FS server, this session will present a novel technique resulting in impersonation of any identity through modifying the contents of the configuration database without any requirements on privileged access to the AD FS server. It will provide offensively-minded attendees with another technique with which to target Active Directory-based estates. Blue teamers in attendance will walk away with an understanding of the artefacts and detection opportunities associated with this new attack vector.
[1] https://www.microsoft.com/en-us/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/