データベースの「幽霊」:Machine DPAPIによるADFSアクティブ署名キーの復元手法 The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI
ADFSのトークン署名キーがMachine DPAPIを通じてデータベースから復元可能であることを示した脅威調査で、攻撃者によるSAMLトークン偽造とフェデレーション認証の乗っ取りリスクが明らかになった。
English summary
- This threat intelligence research shows how active ADFS signing keys can be recovered from databases via Machine DPAPI, letting attackers forge SAML tokens and compromise federated authentication.
米グーグル傘下の脅威インテリジェンス部門が、Active Directoryフェデレーションサービス(ADFS)で使われるトークン署名キーを、Machine DPAPIを介して構成データベースから復元できることを示す調査結果を公表した。攻撃者がこの「アクティブな」署名キーを入手すれば、正規のSAMLトークンを偽造してフェデレーション認証を乗っ取れる恐れがあり、クラウドを含む広範なアクセス権限を奪われる可能性がある。
ADFSは、社内のActive Directoryと外部のクラウドサービスをつなぐシングルサインオン(SSO)基盤で、認証結果をSAMLトークンとして発行する。このトークンは秘密の署名キーで署名されており、受け取り側は署名を検証して正当性を判断する。つまり署名キーを握られると、任意のユーザーになりすましたトークンを発行できてしまう。
従来、この種の攻撃は「Golden SAML」と呼ばれ、SolarWinds事件に関与したとされる攻撃グループなどが用いたことで知られる。攻撃には署名証明書の抽出が必要とされてきたが、ADFSは署名キーの秘密部分をDKM(分散キーマネージャ)で暗号化し、その保護にDPAPIを利用している。今回の調査は、ユーザー文脈の資格情報ではなくMachine DPAPIのマスターキーを使うことで、データベースに保存された稼働中の署名キーを直接復元できる点を具体的に示したものだ。
「幽霊(ghost)」という表現は、通常はメモリ上でのみ扱われるはずのキー素材がデータベース内に残存し、参照可能な状態にある状況を指すとみられる。この手法が成立すると、証明書のエクスポートを前提とした既存の防御策や監視の網をすり抜けられる可能性がある。
対策としては、ADFSサーバーおよびDKMマスターキーへのアクセスを厳格に制限し、管理者権限の乱用を検知することが重要になる。加えて、マイクロソフトはADFSからクラウドベースのMicrosoft Entra IDへの移行を推奨しており、フェデレーション基盤そのものの近代化も選択肢となる。組織には、署名キーの定期的なローテーションや、異常なトークン発行を洗い出す監査ログの確認を通じて、リスク低減を図ることが求められる。
Active Directory Federation Services (ADFS) remains a cornerstone of enterprise single sign-on, so any weakness in how it protects its signing material carries outsized consequences. New threat intelligence research demonstrates that an ADFS server's active token-signing key can be recovered directly from its configuration database using the Windows Machine Data Protection API (DPAPI), giving an attacker who reaches the right host the ability to forge SAML tokens and impersonate any federated user.
The significance lies in what the token-signing key unlocks. ADFS issues SAML assertions that downstream services, including cloud platforms such as Microsoft 365, trust to authenticate users. Because those assertions are validated against the signing certificate rather than re-checked against a live directory, whoever controls the private key can mint tokens for arbitrary identities, populate arbitrary claims, and effectively bypass multi-factor authentication enforced at the identity provider. This class of attack is widely known as "Golden SAML," first documented by CyberArk researchers in 2017 and later observed in the 2020 SolarWinds intrusion, where actors abused forged tokens to move into cloud environments.
Historically, extracting that key was thought to require the Distributed Key Manager (DKM) master key, a secret stored in a protected Active Directory container and used to decrypt the signing material at runtime. Tooling such as ADFSDump and ADFSpoof was built around that workflow. The research reframes the problem: the signing key persists inside the ADFS configuration database, hosted in the Windows Internal Database or a dedicated SQL Server instance, and appears to be recoverable through Machine DPAPI on the ADFS server itself. The "ghost in the database" framing captures the idea that the live key sits as a decryptable artifact within storage that defenders may not treat as sensitive.
Machine DPAPI is the system-scoped variant of Windows' data protection service. Where user DPAPI ties encrypted secrets to a user's logon credentials, the machine variant binds material to the local computer, meaning code running with sufficient privilege on the box can request decryption without a specific user's password. In practice, that means an actor operating as SYSTEM or local administrator on an ADFS server, or able to execute within the ADFS service context, may be positioned to unwrap the signing key using the machine's own protection scope.
It is worth stressing the prerequisites. This is a post-compromise escalation technique rather than a remote, unauthenticated exploit. The attacker must already have privileged access to the ADFS host, so the finding is most relevant to lateral movement and persistence scenarios in which an intruder has established a foothold in the identity infrastructure. That framing reinforces long-standing guidance that ADFS servers should be treated as Tier 0 assets, on par with domain controllers, and isolated accordingly.
The technique also illustrates why federated identity systems are attractive targets. Compromising a single signing key is more durable than stealing individual credentials, because token forgery survives password resets and can persist until the certificate is rotated. Defenders can reduce exposure by tightly restricting who can log on to ADFS servers, monitoring for anomalous access to the configuration database and the DKM container, enforcing automatic certificate rollover, and rotating signing certificates twice to fully invalidate a suspected-stolen key. Detection products such as Microsoft Defender for Identity and SIEM rules that flag unusual token issuance patterns can help surface abuse after the fact.
The broader context is Microsoft's ongoing push to migrate customers away from on-premises ADFS toward cloud-based authentication in Entra ID, formerly Azure AD, using managed methods such as password hash synchronization or pass-through authentication. Cloud-hosted identity does not eliminate token-forgery risk, but it shifts key custody to the provider and narrows the on-premises attack surface that techniques like this one depend on. For organizations that must retain ADFS, the research is a reminder that protecting the signing key requires securing not only the DKM secret in Active Directory but also the configuration database and the DPAPI scope that guards it.
As with any offensive research, the practical impact will depend on how readily the method generalizes across ADFS versions and configurations, which further testing and vendor response are likely to clarify.
本ページの本文・要約は AI による自動生成です。正確性は元記事 (cloud.google.com) をご確認ください。