Malicious Device Join

This technique allows to bypass Conditional Access Policies based on device ownership.

Since devices are identified with certificates created during the registration process, all we need is access to a user account that can register a new device that can be set up to use the user's PRT. There are 3 different Device Join types which change based on the characteristics of the the joined device:

Registered: personal devices
Joined: owned by an organization
Hybrid Joined: owned by an organization but logons are controlled by an AD service account

To join a device with our compromised account we can use the following command which will generate the required certificate

PS /home/otter> Join-AADIntDeviceToAzureAD -DeviceName "Otter's Comptuter" -DeviceType "Windows" -OSVersion "10.0.19044.2364"

Now we can use this device to log in as the compromised user without having to worry about the Conditional Access Policy.

PreviousCompromising Azure Blobs and Storage Accounts NextDisabling Auditing (Unified Audit Logs)

Last updated 4 months ago