The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI

A recent discovery by Mandiant shows that manually rotating ADFS certificates can leave active signing keys exposed in Machine DPAPI, allowing attackers to forge SAML tokens and bypass MFA. This attack vector is particularly concerning as it avoids direct interaction with heavily monitored components. To defend against this, organizations should ensure that AutoCertificateRollover is enabled and monitor for configuration drift. This can be achieved by regularly checking the WID database and machine-scoped cryptographic store for any discrepancies.

Source →
FeedLens — Signal over noise Last 7 days