Silver SAML Forger: Implement the Silver SAML attack
Silver SAML Forger
Silver SAML Forger is C# tool that helps you create custom SAML responses. It can be used to implement the Silver SAML attack.
Defend against Silver SAML
To safeguard effectively against Silver SAML attacks in Entra ID, your organization should only use Entra ID signed certificates for SAML signing purposes. SAML signing certificates are stored in the service principal for a SAML application in Entra ID. You can use the Microsoft Graph API to view the information that is exposed about the signing key. Simply call a GET request to the following URI: https://graph.microsoft.com/beta/servicePrincipals/{serviceprincipalobjectid}
Organizations can audit existing service principals that are configured for SAML and check the displayName. If the currently used certificate is generated by Microsoft, the certificate will contain the value CN=Microsoft Azure Federated SSO Certificate. However, nothing prevents an attacker from importing an external certificate that has the same name.
Example of the exposed information – Note that the private key material is not exportable, preventing attackers from gathering the information they need to launch a Silver SAML attack.
Detecting Silver SAML
Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement. You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events.
