LoFP / certain administrative or security testing activities in azure ad environments may use convertto-aadintbackdoor for legitimate federation configuration changes. review and allow such actions from trusted administrators and approved tools.

Techniques

• T1071.001
• T1078
• T1212
• T1482

Sample rules

Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script

• source: splunk
• technicques:
  • T1482
  • T1078
  • T1212
  • T1071.001

Description

This analytic detects the execution of the ConvertTo-AADIntBackdoor command via PowerShell Script Block Logging. The ConvertTo-AADIntBackdoor command is part of the AADInternals toolkit, which is used primarily for security testing and administrative tasks in Azure Active Directory (Azure AD) environments. This particular command is designed to create a “backdoor” in a federated Azure AD domain. When executed, ConvertTo-AADIntBackdoor modifies the federation settings of a domain by adding or changing the federation configuration to allow an attacker to control the authentication process. This manipulation enables the creation of security tokens that can impersonate any user within the Azure AD tenant. Consequently, this allows an attacker to bypass Multi-Factor Authentication (MFA), escalate privileges, and maintain persistent access to the Azure AD environment.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText="*ConvertTo-AADIntBackdoor*"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
     Opcode Name Path ProcessID ScriptBlockId


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_convertto_aadintbackdoor_execution_via_powershell_script_filter`