Skip to main content
Advanced Search
Search Terms
Content Type

Exact Matches
Tag Searches
Date Options
Updated after
Updated before
Created after
Created before

Search Results

83 total results found

AAD Federated Backdoor

Azure AD (AAD)

The gist of this persistence technique is creating a malicious domain inside a target tenant and use the newly-created domain to impersonate any user from the tenant in M365. This method requires a high-privilege account to be compromised (or gained) such as D...

AAD Persistence

Malicious MFA Takeover

Azure AD (AAD)

This technique is pretty simple as it only consists in "backdooring" user accounts that don't have MFA set up; if an attacker controls one of these accounts it's possible to register new devices under that user's account. A simple way to get the MFA status of ...

AAD Persistence

Service Principal Abuse

Azure AD (AAD)

This persistence method consists in backdooring Azure applications leveraging the permissions of a SP account to gain SSO access to the environment with the permissions of that applications without the need for credentials. The main benefits of attacking SP ac...

AAD Persistence

Compromising Azure Blobs and Storage Accounts

Azure AD (AAD)

Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensitive data. What we'll focus on in this section is a common misconfiguration that exposes access keys for the storage account itself allowing an attacker to downloa...

AAD Persistence

Malicious Device Join

Azure AD (AAD)

This technique allows to bypass Conditional Access Policies based on device ownership. Since devices are identified with certificates created during the registration process, all we need is access to a user account that can register a new device that can be se...

AAD Persistence

Disabling Auditing (Unified Audit Logs)

Azure AD (AAD)

Azure's audit logs provide the vast majority of logging in the tenant and can be easily used to figure out what has been compromised and how the attack was carried out but if we manage to compromise an account with the Compliance Administrator role we can disa...

AAD Defense Evasion

Spoofing Azure Sign-In Logs

Azure AD (AAD)

In hybrid environments, every attacker with local administrator access can spoof AAD Sign-In events and every attacker with Global Administrator permissions can register fake agents to AAD. This technique can both be used to remove tracks and IOCs but also to ...

AAD Defense Evasion

Registering Fake Agents for Log Spoofing

Azure AD (AAD)

We talked about Spoofing AAD Logon logs as a ADFS administrator in [[15 - Spoofing Azure Sign-In Logs]], now we'll see how it's possible to do the same as a Global Administrator on the AAD side. As a Global Admin we can register our own AAD Connect Health agen...

AAD Defense Evasion

Pass the PRT

Azure AD (AAD)

This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate into any application, bypass MFA with the built-in MFA claim and satisfy every conditional access policy. This attack leverages the native presence of the Browser...

AAD Lateral Movement

Pass the Cookie

Azure AD (AAD)

If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file. The ...

AAD Lateral Movement

Introduction to ADCS

Abusing Active Directory Certificate Se...

ADCS is made of these main components CA: Certification Authority, an entity that issues and manages certificates. There can be multiple CAs, organized in a hierarchy to add more layers of "movement" between the end user and the main CA Certificate Templates:...

Abusing Managed Identities

Azure AD (AAD)

Managed Identities are a type of Service Principal and they are used by applications to obtain tokens for authentication without need to manage credentials. We'll see how a misconfigured Managed Identity can allow an attacker to access resources in the same re...

AAD Lateral Movement

Virtual Machine Abuse

Azure AD (AAD)

This section is highly dependent on the Abusing Managed Identities module so i recommend checking that out first and then coming back to this ʕ •ᴥ•ʔ The setup is the same and the attack assumes you compromised a Linux-based VM and we can use it to execute comm...

AAD Lateral Movement

Attacking Key Vaults

Azure AD (AAD)

While owning users and devices in AAD environments, it's good practice to look out for permissions like Microsoft.KeyVault/vaults/read # read keys in a vault Microsoft.KeyVault/vaults/secrets/read # read the plaintext passwords in...

AAD Credential Theft

Analysing the first stages of a malware attack

Articles

It started with a URL I recently stumbled upon the following curious URL hxxps://rechnung-webmail.nizmo.cl/uw73oo29/?C96B33DB56A85F924D2C3C5E664D872DFA9A0EE4. The domain is now inactive, but at the time it ultimately redirected to hxxps://file.download.pelletq...

Child/Parent Trust Abuse

Domain Trust Abuse

Whenever a child domain (child.domain.com) is added to a forest, the event automatically creates a transitive and bidirectional trust with the parent domain (domain.com). PS C:\users\otter\desktop> Get-ADTrust -Filter * Direction : BiDirectional...

One-Way Inbound Trust Abuse

Domain Trust Abuse

A one-way inbound trusts looks like this PS C:\users\otter\desktop> Get-DomainTrust SourceName      : trusteddomain.com TargetName      : trustingdomain.com TrustType       : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : TrustDirection  : Inbound WhenCreated   ...

One-Way Outbound Trust Abuse

Domain Trust Abuse

We are dealing with a one-way outbound trust when trustingdomain.com trusts trusteddomain.com so the users from the second domain are able to access the resources in the first one. Given that we have high-privilege access to trustingdomain.com we are able to "...

Ressources

Abusing Active Directory Certificate Se...

SpecterOps https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf ESC13 https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 ESC14 https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 HTB ADCS https://aca...

Bryan McNulty

The Team

Recovering Linux addict, Active Directory specialist, Looking into cloud security 👀 Find me on Hack The Box, VulnLab, PwnedLabs, etc. CTF / Socials Blog: https://bryanmcnulty.com LinkedIn: https://www.linkedin.com/in/bryanmcnulty GitHub: https://github.com/...