THREATOPS
THREAT OPSThreat News › The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI

The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI

medmandiant_gtiPublished 2026-07-07

<div class="block-paragraph_advanced"><p>Written by: Shebin Mathew</p> <hr /></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">The "Golden SAML" technique, first described by </span><a href="https://www.cyberark.com/resources/threat-research

Attributed threat actors

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://cloud.google.com/blog/topics/threat-intelligence/recovering-active-adfs-signing-keys-machine-dpapi/