THE article discusses the 'Ghost' in the Database, particularly focusing on the vulnerabilities associated with Active Directory Federation Services (ADFS) signing keys through Machine DPAPI. It highlights how threat actors can exploit old certificates, known as 'ghost certificates', which remain in the configuration after manual certificate rotation, potentially exposing the active signing keys used for SAML assertions.
The authors emphasize the security implications of this configuration drift, detailing how attackers can obtain valid SAML assertions without user credentials or multi-factor authentication. Technical insights reveal the extraction methods and underline the need for robust visibility and monitoring. To mitigate risks, it is recommended to implement hardware-backed key protection, enforce strict administrative controls, and ensure that any manual certificate management includes validation across multiple sources.