Malicious Device Join
This technique allows to bypass Conditional Access Policies based on device ownership.
Since devices are identified with certificates created during the registration process, all we need is access to a user account that can register a new device that can be set up to use the user's PRT. There are 3 different Device Join types which change based on the characteristics of the the joined device:
- Registered: personal devices
- Joined: owned by an organization
- Hybrid Joined: owned by an organization but logons are controlled by an AD service account
To join a device with our compromised account we can use the following command which will generate the required certificate
PS /home/otter> Join-AADIntDeviceToAzureAD -DeviceName "Otter's Comptuter" -DeviceType "Windows" -OSVersion "10.0.19044.2364"
Now we can use this device to log in as the compromised user without having to worry about the Conditional Access Policy.