Golden SAML AD FS Mail Access

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2021/08/02

Modification Date

2021/08/02

Tactics

TA0006,TA0001,TA0003,TA0004,TA0005,TA0009

Techniques

T1552.004,T1606.002,T1078.004,T1098.002,T1114

Tags

SimuLand

Dataset Description

This dataset represent a threat actor stealing the AD FS token signing certificate from an on-prem AD FS server to sign a new SAML token, impersonate a privileged user and eventually collect mail data via the Microsoft Graph API.

Simulation Metadata