Backdooring and Hijacking Azure AD Accounts by Abusing External Identities

Presented at Black Hat USA 2022, Aug. 10, 2022, 3:20 p.m. (40 minutes)

External identities are a concept in Azure Active Directory which makes it possible to collaborate with users outside of an organization. These external users, often called guest users, can be granted permissions to certain resources and work together with users within the organization. The identities of these users are managed in a different Azure AD tenant, or are unmanaged accounts outside of Azure AD.

This talk explains how these external identities work in Azure AD and how concepts such as B2B collaboration are facilitated. During the research for this talk, several flaws in the implementation were identified, which create novel ways to backdoor and hijack Azure AD accounts from a regular user. There were also ways identified to exploit these external identity links to elevate privileges, bypass Multi Factor Authentication and Conditional Access policies. All these attacks were possible in the default configuration of Azure AD.

This talk will give insight into the external identities concepts, into the technicalities that allowed these attacks to exist, and into ways to harden against these attacks and detect abuse of these vulnerabilities.


Presenters:

  • Dirk-jan Mollema - Security Researcher, Outsider Security
    Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD at Outsider Security. Amongst the open-source tools published to advance the state of (Azure) AD research are aclpwn, krbrelayx, mitm6 and the Azure AD ROADtools framework. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and was part of the MSRC most valuable researchers 2018 to 2020 through his Azure AD research.

Links:

Similar Presentations: