Az - Persistence
Illicit Consent Grant
By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to execute phishing attacks that would be very fruitful in case of success.
Moreover, you could also accept that application with your user as a way to maintain access over it.
Applications and Service Principals
With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
It's possible to target an application with high permissions or add a new application with high permissions.
An interesting role to add to the application would be Privileged authentication administrator role as it allows to reset password of Global Administrators.
This technique also allows to bypass MFA.
For certificate based authentication
Federation - Token Signing Certificate
With DA privileges on on-prem AD, it is possible to create and import new Token signing and Token Decrypt certificates that have a very long validity. This will allow us to log-in as any user whose ImuutableID we know.
Run the below command as DA on the ADFS server(s) to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
Then, update the certificate information with Azure AD:
Federation - Trusted Domain
With GA privileges on a tenant, it's possible to add a new domain (must be verified), configure its authentication type to Federated and configure the domain to trust a specific certificate (any.sts in the below command) and issuer:
References
Last updated