Advanced Search
Search Results
83 total results found
AAD Federated Backdoor
The gist of this persistence technique is creating a malicious domain inside a target tenant and use the newly-created domain to impersonate any user from the tenant in M365. This method requires a high-privilege account to be compromised (or gained) such as D...
Malicious MFA Takeover
This technique is pretty simple as it only consists in "backdooring" user accounts that don't have MFA set up; if an attacker controls one of these accounts it's possible to register new devices under that user's account. A simple way to get the MFA status of ...
Service Principal Abuse
This persistence method consists in backdooring Azure applications leveraging the permissions of a SP account to gain SSO access to the environment with the permissions of that applications without the need for credentials. The main benefits of attacking SP ac...
Compromising Azure Blobs and Storage Accounts
Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensitive data. What we'll focus on in this section is a common misconfiguration that exposes access keys for the storage account itself allowing an attacker to downloa...
Malicious Device Join
This technique allows to bypass Conditional Access Policies based on device ownership. Since devices are identified with certificates created during the registration process, all we need is access to a user account that can register a new device that can be se...
Disabling Auditing (Unified Audit Logs)
Azure's audit logs provide the vast majority of logging in the tenant and can be easily used to figure out what has been compromised and how the attack was carried out but if we manage to compromise an account with the Compliance Administrator role we can disa...
Spoofing Azure Sign-In Logs
In hybrid environments, every attacker with local administrator access can spoof AAD Sign-In events and every attacker with Global Administrator permissions can register fake agents to AAD. This technique can both be used to remove tracks and IOCs but also to ...
Registering Fake Agents for Log Spoofing
We talked about Spoofing AAD Logon logs as a ADFS administrator in [[15 - Spoofing Azure Sign-In Logs]], now we'll see how it's possible to do the same as a Global Administrator on the AAD side. As a Global Admin we can register our own AAD Connect Health agen...
Pass the PRT
This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate into any application, bypass MFA with the built-in MFA claim and satisfy every conditional access policy. This attack leverages the native presence of the Browser...
Pass the Cookie
If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file. The ...
Introduction to ADCS
ADCS is made of these main components CA: Certification Authority, an entity that issues and manages certificates. There can be multiple CAs, organized in a hierarchy to add more layers of "movement" between the end user and the main CA Certificate Templates:...
Abusing Managed Identities
Managed Identities are a type of Service Principal and they are used by applications to obtain tokens for authentication without need to manage credentials. We'll see how a misconfigured Managed Identity can allow an attacker to access resources in the same re...
Virtual Machine Abuse
This section is highly dependent on the Abusing Managed Identities module so i recommend checking that out first and then coming back to this ʕ •ᴥ•ʔ The setup is the same and the attack assumes you compromised a Linux-based VM and we can use it to execute comm...
Attacking Key Vaults
While owning users and devices in AAD environments, it's good practice to look out for permissions like Microsoft.KeyVault/vaults/read # read keys in a vault Microsoft.KeyVault/vaults/secrets/read # read the plaintext passwords in...
Analysing the first stages of a malware attack
It started with a URL I recently stumbled upon the following curious URL hxxps://rechnung-webmail.nizmo.cl/uw73oo29/?C96B33DB56A85F924D2C3C5E664D872DFA9A0EE4. The domain is now inactive, but at the time it ultimately redirected to hxxps://file.download.pelletq...
Child/Parent Trust Abuse
Whenever a child domain (child.domain.com) is added to a forest, the event automatically creates a transitive and bidirectional trust with the parent domain (domain.com). PS C:\users\otter\desktop> Get-ADTrust -Filter * Direction : BiDirectional...
One-Way Inbound Trust Abuse
A one-way inbound trusts looks like this PS C:\users\otter\desktop> Get-DomainTrust SourceName : trusteddomain.com TargetName : trustingdomain.com TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : TrustDirection : Inbound WhenCreated ...
One-Way Outbound Trust Abuse
We are dealing with a one-way outbound trust when trustingdomain.com trusts trusteddomain.com so the users from the second domain are able to access the resources in the first one. Given that we have high-privilege access to trustingdomain.com we are able to "...
Ressources
SpecterOps https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf ESC13 https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 ESC14 https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 HTB ADCS https://aca...
Bryan McNulty
Recovering Linux addict, Active Directory specialist, Looking into cloud security 👀 Find me on Hack The Box, VulnLab, PwnedLabs, etc. CTF / Socials Blog: https://bryanmcnulty.com LinkedIn: https://www.linkedin.com/in/bryanmcnulty GitHub: https://github.com/...