THREAT OPS › Threat News › The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI
The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI
<div class="block-paragraph_advanced"><p>Written by: Shebin Mathew</p> <hr /></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">The "Golden SAML" technique, first described by </span><a href="https://www.cyberark.com/resources/threat-research
Attributed threat actors
- APT29G0016
MITRE ATT&CK techniques
Indicators of compromise
- https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-appsurl