How to Backdoor Azure Applications and Abuse Service Principals
If an attacker gains access to an Azure tenant (with sufficient permissions) they can add a “secret” or a “certificate” to an application. This will allow an attacker single-factor access to Azure allowing the attacker to persist within the client environment. Further, each application that exists within an Azure tenant has a service principal automatically assigned/created. This happens every time an application is registered within an Azure portal. A service principal account is basically an identity that’s used by applications, tools to access resources / perform automated actions. Attackers want to target service principals because: Service accounts and service principals do not have MFA Attackers can log into Azure using a service principal account These accounts exist with all applications in Azure (most companies have several) These accounts cannot be controlled through conditional access This blog post is going to show you how to create / register an application within an Az