Skip to content
Threat Feed
critical advisory

Detection of ConvertTo-AADIntBackdoor Execution via PowerShell

This brief outlines the detection of the ConvertTo-AADIntBackdoor command execution via PowerShell Script Block Logging, a technique used to create a backdoor in federated Azure AD domains by modifying federation settings and allowing attackers to control the authentication process.

The ConvertTo-AADIntBackdoor command is a component of the AADInternals toolkit, designed for security testing and administrative functions within Azure Active Directory (Azure AD) environments. When executed, this command manipulates the federation settings of a domain, adding or altering the federation configuration to grant attackers control over the authentication procedure. This allows for the forging of security tokens, enabling impersonation of any user within the Azure AD tenant. Such manipulation allows attackers to bypass Multi-Factor Authentication (MFA), escalate privileges, and establish persistent access to the Azure AD environment. Defenders should monitor PowerShell Script Block Logging for this activity, as it poses a significant risk to Azure AD environments.

Attack Chain

  1. Attacker gains initial access to a system with privileges to execute PowerShell scripts.
  2. Attacker executes a PowerShell script containing the ConvertTo-AADIntBackdoor command.
  3. The ConvertTo-AADIntBackdoor command modifies the federation settings of an Azure AD domain.
  4. The federation configuration is altered to allow the attacker to control the authentication process.
  5. The attacker can now create security tokens to impersonate any user within the Azure AD tenant.
  6. Multi-Factor Authentication (MFA) is bypassed using the forged security tokens.
  7. The attacker escalates privileges within the Azure AD environment.
  8. The attacker maintains persistent access to the Azure AD environment, potentially exfiltrating data or causing further damage.

Impact

Successful execution of the ConvertTo-AADIntBackdoor command allows attackers to gain persistent, unauthorized access to Azure AD environments, bypass MFA, and escalate privileges. This can lead to significant data breaches, service disruption, and reputational damage. The scope of impact is tenant-wide, potentially affecting all users and resources within the Azure AD environment.

Recommendation

  • Enable and monitor PowerShell Script Block Logging (Event ID 4104) to detect the execution of suspicious commands, as outlined in the overview.
  • Deploy the Sigma rule provided to detect the execution of ConvertTo-AADIntBackdoor in PowerShell scripts and tune for your environment.
  • Review and audit Azure AD federation settings regularly to identify any unauthorized modifications.
  • Implement strict access controls and monitoring for accounts with permissions to modify Azure AD federation settings.
  • Investigate any alerts generated by the provided Sigma rule, prioritizing incidents involving privileged accounts.

Detection coverage 2

Detect ConvertTo-AADIntBackdoor Execution via PowerShell Script Block Logging

critical

Detects the execution of the ConvertTo-AADIntBackdoor command within PowerShell scripts, indicating a potential attempt to create a backdoor in Azure AD federation settings.

sigma tactics: persistence, privilege_escalation techniques: T1071.001, T1078, T1212, T1482 sources: process_creation, windows

Detect PowerShell Script Block Logging with ConvertTo-AADIntBackdoor

critical

Detects instances of ConvertTo-AADIntBackdoor within PowerShell Script Block Logging (Event ID 4104), indicating potential backdoor creation attempts in Azure AD federation settings.

sigma tactics: persistence, privilege_escalation techniques: T1071.001, T1078, T1212, T1482 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →