ctipilot.ch
← Back to Weekly 2026-W28
NOTABLENATOB1research

Trust-primitive forgery was a research theme this week: recovering live ADFS signing keys, and minting a second 'Verified' GitHub commit

discovered 2026-07-12 23:40 UTCrun 2026-07-12T2309Z-weekly2 sourcesmulti-source

Two of the week's research findings share an underappreciated theme: they forge a trust primitive that downstream systems and humans treat as authoritative, rather than exploiting a memory-corruption bug.

The heavier of the two, for the constituency, is Mandiant/GTIG's ADFS token-signing-key recovery. ADFS stores its certificate private keys under Machine DPAPI, so any SYSTEM-level process on the ADFS host can recover them independently of the live service or LSASS; when AutoCertificateRollover is disabled and an admin rotates a signing certificate manually without a matching WID update, the database retains a "ghost" record while the real signing key stays live in the machine key store. With that key, an attacker forges arbitrary SAML assertions to impersonate any federated user — Global Administrators included — against every SAML-federated app including Microsoft 365 and Entra ID, "bypassing multifactor authentication (MFA), conditional access, and all identity-based controls," and deliberately avoids the LSASS/live-ADFS surfaces defenders usually watch (Mandiant, 2026-07-09). The detectable side-effect is Event ID 385 (certificate-rollover mismatch), and Mandiant's guidance is to treat ADFS as Tier-0, move to HSM-backed keys, validate rotations with Set-AdfsCertificate, and SACL-audit the MachineKeys directory (Event ID 4663). The second finding, Git commit-signature malleability, lets an attacker produce a second commit with a different hash that still renders GitHub's "Verified" badge — collapsing the assumption that a verified-signed commit uniquely identifies its content (The Hacker News, 2026-07-09).

Why this belongs in the week's research lens: both extend a running arc — after last week's Keycloak JWT-forgery and OAuth-abuse research, this week's items give the on-premises-AD equivalent (ADFS) and a code-supply-chain equivalent (signed commits), each with a concrete detection surface the earlier work lacked.

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Credential Access TA0006
T1552.004Unsecured Credentials: Private Keys

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

overlap matrix · ATT&CK page ↗

T1606.002Forge Web Credentials: SAML Tokens

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.