Az - Dynamic Groups Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Dynamic groups are groups that has a set of rules configured and all the users or devices that match the rules are added to the group. Every time a user or device attribute is changed, dynamic rules are rechecked. And when a new rule is created all devices and users are checked.

Dynamic groups can have Azure RBAC roles assigned to them, but it's not possible to add AzureAD roles to dynamic groups.

This feature requires Azure AD premium P1 license.

Privesc

Note that by default any user can invite guests in Azure AD, so, If a dynamic group rule gives permissions to users based on attributes that can be set in a new guest, it's possible to create a guest with this attributes and escalate privileges. It's also possible for a guest to manage his own profile and change these attributes.

Get groups that allow Dynamic membership: Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}

Example

Rule example: (user.otherMails -any (_ -contains "tester")) -and (user.userType -eq "guest")
Rule description: Any Guest user with a secondary email with the string 'tester' will be added to the group

Go to Azure Active Directory -> Users and click on Want to switch back to the legacy users list experience? Click here to leave the preview
Click on New guest user and invite an email
The user's profile will be added to the Azure AD as soon as the invite is sent. Open the user's profile and click on (manage) under Invitation accepted.
Change Resend invite? to Yes and you will get an invitation URL:
Copy the URL and open it, login as the invited user and accept the invitation

Login in the cli as the user and set the secondary email

# Login
$password = ConvertTo-SecureString 'password' - AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('externaltester@somedomain.onmicrosoft.com', $Password)
Connect-AzureAD -Credential $creds -TenantId <tenant_id_of_attacked_domain>

# Chnage OtherMails setting
Set-AzureADUser -ObjectId <OBJECT-ID> -OtherMails <Username>@<TENANT_NAME>.onmicrosoft.com -Verbose

References

https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - Conditional Access Policies / MFA Bypass NextDigital Ocean Pentesting

Last updated 2 months ago