Abusing User Administrator Role
Just like for the Cloud Administrator section, we'll walk though a small attack scenario which starts with us compromising a User Administrator account.
Let's say there is a credential vault in a subscription we are not part of and we want to get to that: what we'll do is is reset the password of a user that has user access administration role on the resource group that contains the vault, then we can log in as this user and delegate all the permissions we need to the initial compromised account.
For demonstration's sake we already individuated the user account we want to target to gain access to the target resource group, in an actual scenario this can be easily done by consulting the AzureHound results.
To reset the user's password we can use the following AZCli command
Now we can log in as secureuser
and access the subscription and delegate access to the vault
Last updated