Azure AD - Persistence
Add Secrets to Application
-
Add secrets with lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1
-
Use secrets to authenticate as Service Principal
Add Service Principal
-
Generate a new service principal password/secret
Add User to Group
PowerShell Profile Backdoor Using KFM
OneDrive for Business Known Folder Move (KFM) is a feature in Microsoft OneDrive for Business that enables users and organizations to automatically redirect the contents of key Windows user folders; Desktop, Documents, and Pictures from their local PC to OneDrive.
A PowerShell profile is a script file that loads whenever you start a new PowerShell session (such as opening PowerShell or Windows Terminal). Users and administrators often customize their profiles to set aliases, environment variables, functions, or pre-load modules.
Requirements:
Files.ReadWrite.All
privilege
Methodology:
Known Folder Move moves the user's Documents (and/or Desktop, Pictures) folder to OneDrive for Business, typically syncing:
This means the PowerShell profile file (Documents\PowerShell\Microsoft.PowerShell_profile.ps1
) will now be synced to OneDrive.
Push a malicious PowerShell profile at $HOME\Documents\PowerShell\Microsoft.PowerShell_profile.ps1
.