This article explores the legacy of Active Directory Federation Services (ADFS) in the context of Device Registration Services (DRS) and OAuth2. It highlights the ongoing relevance of ADFS despite Microsoft’s push towards Entra ID, delving into ADFS internals, OAuth2 integration, device authentication methods, and potential attack vectors. Affected Platform: ADFS, Entra ID
Keypoints :
- Microsoft is transitioning customers from ADFS to Entra ID but ADFS remains widely used.
- ADFS functions as an OAuth2 provider, not just a SAML token generator.
- Device Registration Services (DRS) can be configured in ADFS for managing device registrations.
- ADFS supports multiple authentication methods, including forms and Windows authentication.
- OAuth2 Device Code Flow can be exploited for phishing attacks against ADFS.
- Golden JWT attacks can be executed if the signing key is compromised.
MITRE Techniques :
- T1557.001 – Adversary-in-the-Middle: Exploiting OAuth2 Device Code Flow for phishing attacks.
- T1557.002 – OAuth2 Token Manipulation: Crafting and spoofing JWTs using compromised signing keys.
- T1556.001 – Credential Dumping: Accessing msDS-Device objects to authenticate as any user.
- T1078 – Valid Accounts: Leveraging existing accounts for unauthorized access through device authentication.
Indicator of Compromise :
- [domain] adfs.lab.local
- [url] https://claimsxray.net/token
- [url] https://claimsxray.net/deviceauth
- [email] [email protected]
- [others ioc] DRSClientIdentifier
- Check the article for all found IoCs.
Full Research: https://malware.news/t/adfs-living-in-the-legacy-of-drs/89938