{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/azure-ad/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["critical"],"_cs_tags":["azure-ad","backdoor","powershell","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe ConvertTo-AADIntBackdoor command is a component of the AADInternals toolkit, designed for security testing and administrative functions within Azure Active Directory (Azure AD) environments. When executed, this command manipulates the federation settings of a domain, adding or altering the federation configuration to grant attackers control over the authentication procedure. This allows for the forging of security tokens, enabling impersonation of any user within the Azure AD tenant. Such manipulation allows attackers to bypass Multi-Factor Authentication (MFA), escalate privileges, and establish persistent access to the Azure AD environment. Defenders should monitor PowerShell Script Block Logging for this activity, as it poses a significant risk to Azure AD environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with privileges to execute PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eAttacker executes a PowerShell script containing the \u003ccode\u003eConvertTo-AADIntBackdoor\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eConvertTo-AADIntBackdoor\u003c/code\u003e command modifies the federation settings of an Azure AD domain.\u003c/li\u003e\n\u003cli\u003eThe federation configuration is altered to allow the attacker to control the authentication process.\u003c/li\u003e\n\u003cli\u003eThe attacker can now create security tokens to impersonate any user within the Azure AD tenant.\u003c/li\u003e\n\u003cli\u003eMulti-Factor Authentication (MFA) is bypassed using the forged security tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the Azure AD environment, potentially exfiltrating data or causing further damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of the \u003ccode\u003eConvertTo-AADIntBackdoor\u003c/code\u003e command allows attackers to gain persistent, unauthorized access to Azure AD environments, bypass MFA, and escalate privileges. This can lead to significant data breaches, service disruption, and reputational damage. The scope of impact is tenant-wide, potentially affecting all users and resources within the Azure AD environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor PowerShell Script Block Logging (Event ID 4104) to detect the execution of suspicious commands, as outlined in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect the execution of \u003ccode\u003eConvertTo-AADIntBackdoor\u003c/code\u003e in PowerShell scripts and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and audit Azure AD federation settings regularly to identify any unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for accounts with permissions to modify Azure AD federation settings.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule, prioritizing incidents involving privileged accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-aadintbackdoor/","summary":"This brief outlines the detection of the ConvertTo-AADIntBackdoor command execution via PowerShell Script Block Logging, a technique used to create a backdoor in federated Azure AD domains by modifying federation settings and allowing attackers to control the authentication process.","title":"Detection of ConvertTo-AADIntBackdoor Execution via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-aadintbackdoor/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure-Ad","version":"https://jsonfeed.org/version/1.1"}