ctipilot.ch

Machine DPAPI ADFS signing-key recovery ('Ghost in the Database')

tool · tool:adfs-machine-dpapi-key-recovery

Mandiant-documented Golden SAML variant recovering an active ADFS token-signing private key from the machine-scoped Windows CAPI key store via Machine DPAPI when the WID configuration database has drifted from the actively-used signing certificate (AutoCertificateRollover disabled, manual rotation) — enables SAML forgery without WID/DKM extraction or LSASS interaction (Mandiant, 2026-07-07).

Aliases: Ghost in the Database

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Entries
1
1 distinct days
Sources cited
4
3 hosts
Sections touched
1
deep-dive
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-09Mandiant "Ghost in the Database": recovering an active ADFS token-signing key from Machine DPAPI when the WID/DKM Golden SAML path fails
    deep-diveMandiant recovers a live ADFS signing key from Machine DPAPI — a Golden SAML variant that sidesteps the WID/DKM path and LSASS-watching detection

Where this entity is cited

  • deep-dive1

Source distribution

  • cloud.google.com2 (50%)
  • cyberark.com1 (25%)
  • itbrief.co.uk1 (25%)

Entries about Machine DPAPI ADFS signing-key recovery ('Ghost in the Database') (1)

2026-07-09 · view entry permalink →

NOTABLE

Mandiant "Ghost in the Database": recovering an active ADFS token-signing key from Machine DPAPI when the WID/DKM Golden SAML path fails

Background. Golden SAML — forging SAML assertions by stealing an identity provider's token-signing key — has been public tradecraft since CyberArk's 2017 disclosure (CyberArk, 2017), and Mandiant previously documented network-based extraction of ADFS secrets during the UNC2452/SolarWinds intrusions (Mandiant). The standard extraction path pulls the encrypted signing key from the ADFS Windows Internal Database (WID) and decrypts it with Distributed Key Manager (DKM) material stored in Active Directory. This new Mandiant write-up documents a variant that defeats that assumption when ADFS configuration has drifted.

During a red-team engagement, Mandiant found that ADFS deployments with AutoCertificateRollover disabled (Get-AdfsPropertiesAutoCertificateRollover: False) and certificates rotated manually can leave the WID configuration database holding only a stale "ghost" certificate record, while the ADFS service actually signs tokens with a newer certificate whose private key lives in the machine CAPI store (Mandiant, 2026-07-07). In that state the classic path still "works" mechanically — the WID blob decrypts via DKM — but Entra ID rejects the resulting token with AADSTS500172 because the key is no longer the one in use.

The key's real location and protection. The active private key sits under C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\, with the certificate enrolled in the LocalMachine\My store. It is protected by Machine DPAPI (not user-bound DPAPI): the DPAPI_SYSTEM LSA secret plus machine masterkeys under the S-1-5-18 (SYSTEM) context at C:\Windows\System32\Microsoft\Protect\S-1-5-18\. Machine-scoping is deliberate — it keeps the key usable across service-account password changes, gMSA rotations and reboots — but it also means a SYSTEM-level actor can recover the key entirely from the host. Mandiant confirmed recovery with SharpDPAPI /machine, which enumerated the active key material under that path (the CNG Crypto\Keys store was not in use in the assessed environment) — no interaction with the live ADFS process or LSASS is required, reducing visibility for defenses that watch only credential-dumping/process-memory access (Mandiant, 2026-07-07).

Kill chain (ATT&CK). SYSTEM-level foothold on the ADFS host → recover Machine-DPAPI-protected masterkeys and the CAPI signing key (T1552 Unsecured Credentials, via SharpDPAPI /machine) → forge a SAML assertion impersonating a Global Administrator (T1606.002 Forge Web Credentials: SAML Tokens) → Entra ID accepts it as a valid federated authentication assertion, yielding Global Administrator access to the Microsoft 365 tenant with MFA and conditional access fully bypassed (T1078.004 Valid Accounts: Cloud Accounts). Because the forged assertion is honoured for all SAML relying-party trusts, the blast radius extends to every SaaS platform federated through the same ADFS, not just Microsoft services.

Hunt and detection. The drift condition itself is observable: ADFS Event ID 385 fires when the WID record and the actively-used signing certificate diverge, and self-resolves only once AutoCertificateRollover is re-enabled and a rollover runs. For key-theft detection, Mandiant recommends SACL-based object-access auditing (Security Event ID 4663) on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ and C:\Windows\System32\Microsoft\Protect\S-1-5-18\, treated as correlation evidence rather than a standalone signal. The strongest analytic is cross-source: correlate ADFS token-issuance/claims events (Event IDs 299 and the 1200-series, version-dependent) against Entra ID sign-in logs to surface federated sign-ins with no matching upstream authentication context, baselining claim sets, IP ranges and user-agents per relying-party trust for privileged accounts — neither log source alone is sufficient (Mandiant, 2026-07-07).

Hardening. Migrate token-signing certificates to an HSM to eliminate the software-accessible key and thus the Machine DPAPI extraction path entirely; run ADFS under gMSA to reduce manual-rotation drift; govern ADFS servers as Tier 0 (restricted admin paths, dedicated PAWs, separation from general server administration). When AutoCertificateRollover is disabled, a manual rotation must include Set-AdfsCertificate — installing the certificate alone is insufficient — and be validated with Get-AdfsCertificate; a subsequent Event ID 385 signals lingering inconsistency. Organisations migrating to native OIDC federation remove this attack path altogether (Mandiant, 2026-07-07). ADFS remains widely deployed for on-prem/hybrid identity across Swiss and EU public-sector estates mid-migration to Entra ID, making this a direct Tier 0 hardening item for the constituency.

Successfully obtaining this active key allows an attacker to forge valid SAML assertions for any user, bypassing the need for user credentials and multi-factor authentication

The recovered key was used to forge a SAML assertion impersonating a Global Administrator identity, which Entra ID accepted as a valid authentication assertion

Configure object access auditing via SACLs on C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\ and C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\. When configured correctly, this generates Security Event ID 4663 for file access attempts.

Mandiant (Google Cloud Blog / GTIG) 2026-07-07
research09 Jul 04:32Zmulti-sourceOpen finding ↗