Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to execute phishing attacks that would be very fruitful in case of success.
Moreover, you could also accept that application with your user as a way to maintain access over it.
With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
It's possible to target an application with high permissions or add a new application with high permissions.
An interesting role to add to the application would be Privileged authentication administrator role as it allows to reset password of Global Administrators.
This technique also allows to bypass MFA.
For certificate based authentication
With DA privileges on on-prem AD, it is possible to create and import new Token signing and Token Decrypt certificates that have a very long validity. This will allow us to log-in as any user whose ImuutableID we know.
Run the below command as DA on the ADFS server(s) to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
Then, update the certificate information with Azure AD:
With GA privileges on a tenant, it's possible to add a new domain (must be verified), configure its authentication type to Federated and configure the domain to trust a specific certificate (any.sts in the below command) and issuer:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
