Known Federated Domain Backdoor

A Microsoft Entra tenant can federate with an external domain to establish trust with another domain for authentication and authorization. Organizations use federation to delegate authentication for Active Directory users to their on-premises Active Directory Federation Services (AD FS). (Note: the external domain is not an Active Directory "domain".) However, if malicious actors gain elevated privileges in Microsoft Entra ID, they can abuse this federation mechanism to create a backdoor by adding their own federated domain or editing an existing one to add a secondary configuration with their own settings. This attack would enable the following actions:

• Impersonation: The malicious federated domain can generate tokens to allow an attacker to authenticate as any Microsoft Entra user without knowing or resetting their password. This includes "cloud-only" users (not hybrid) and external users. This allows attacks on Microsoft Entra ID, Microsoft 365 (O365), and other applications that rely on Microsoft Entra ID as an Identity Provider (SSO), even if you enforce MFA (see below).
• Privilege escalation: The attacker can impersonate any user, particularly privileged Microsoft Entra users.
• Multi-Factor Authentication bypass: With federated authentication, the trusted external domain takes on the role of enforcing MFA. The malicious federated domain can then falsely assert that the spoofed authentication used MFA, which Microsoft Entra ID trusts and does not prompt again for MFA. This allows the attacker to impersonate all users even if there is MFA protection.
• Persistence: Adding a malicious federated domain is a stealth technique that allows attackers who compromised the Microsoft Entra tenant and appropriated high privileges to regain access later.

This Indicator of Exposure detects federated domain backdoors that the AADInternals hacking toolkit creates, in particular the ConvertTo-AADIntBackdoor and New-AADIntBackdoor cmdlets, based on certain characteristics of the backdoor domain it created or converted.

Also, refer to the related Indicator of Exposure "Federation Signing Certificates Mismatch".

The federation protocol used to transmit the authentication proof from the malicious federated domain to the targeted Microsoft Entra ID can be either WS-Federation or SAML. When using SAML, the attack resembles a "Golden SAML" attack, with these key differences:

• Instead of stealing the legitimate SAML signing key of an existing federation, the attackers inject their new domain with their own key.
• Attackers present the forged token to the federation service to gain unauthorized access to multiple systems, rather than presenting it to a specific service.

The microsoft.directory/domains/allProperties/allTasks and microsoft.directory/domains/federation/update permissions grants administrators the ability to modify the federated domains. As of November 2023, the following built-in Microsoft Entra roles hold this permission in addition to potential custom roles:

• "Domain Name Administrator"
• "External Identity Provider Administrator"
• "Hybrid Identity Administrator"
• "Global Administrator"
• "Partner Tier2 Support"
• "Security Administrator"

The APT29 threat group abused this method in the infamous December 2020 attack against SolarWinds called "Solorigate", as documented by Microsoft and by Mandiant.

This finding indicates a potential backdoor from an attacker. Initiate an incident response procedure with a forensic analysis in order to confirm the alleged attack, identify the origin and time of the attack, and assess the extent of the possible intrusion.

To view the list of federated domains in the Azure portal, navigate to the "Custom domain names" blade and look for those with a checkmark in the "Federated" column. The name of the potentially malicious domain matches the one flagged in the finding. However, unlike the MS Graph API, the Azure portal does not display the federation technical details.

Use PowerShell cmdlets from MS Graph API to list the domains with Get-MgDomain and their federation configuration with Get-MgDomainFederationConfiguration`, as follows:

Connect-MgGraph -Scopes "Domain.Read.All"
Get-MgDomain -All | Where-Object { $_.AuthenticationType -eq "Federated" } | ForEach-Object { $_ ; Get-MgDomainFederationConfiguration -DomainId $_.Id }

After saving evidence for forensic analysis:

• If the domain is illegitimate, remove it using Remove-MgDomain.
• If the domain is legitimate, but the federation configuration is malicious, remove the federation configuration using Remove-MgDomainFederationConfiguration.

You can follow this remediation guide from Microsoft "Emergency rotation of the AD FS certificates".

To confirm the operation, ensure that the reported finding from this Indicator of Exposure has cleared.

Additionally, it is important to anticipate that the attacker may have set up other persistence mechanisms such as backdoors. Seek assistance from incident response experts to help identify and eliminate these additional threats.

Note that this type of attack abuses federation which is a normal and legitimate feature of Microsoft Entra ID. To prevent future attacks, limit the number of administrators who can modify federation settings. This is a proactive measure since an attacker must have high privileges to create such a backdoor. Check the vulnerability description for specific permissions and a list of roles.

Name: Known Federated Domain Backdoor

Codename: KNOWN-FEDERATED-DOMAIN-BACKDOOR

Severity: Critical