Get-CKAzADGroups

Metadata

platform

Azure

contributors

Roberto Rodriguez @Cyb3rWard0g,MSTIC R&D

creation date

2021-08-22

modification date

2021-09-08

Tactics

TA0007

Techniques

T1069.003

Description

A threat actor might want to list all the groups in an organization, including but not limited to Microsoft 365 groups.

Run Simulation

Get OAuth Access Token

from msal import PublicClientApplication
import requests
import time

public_client_app_id = "KATANA_CLIENT_APP_ID"
tenant_id = "TENANT_ID"
function_app_url = "https://FUNCTION_APP_NAME.azurewebsites.net"
scope = function_app_url + "/user_impersonation"

app = PublicClientApplication(
    public_client_app_id,
    authority="https://login.microsoftonline.com/" + tenant_id
)
result = app.acquire_token_interactive(scopes=[scope])
bearer_token = result['access_token']

Set Azure Function Orchestrator

endpoint = function_app_url + "/api/orchestrators/Orchestrator"

Prepare HTTP Body

data = [{'activityFunction': 'Azure', 'type': 'action', 'action': 'Get-CKAzADGroups', 'parameters': {'selectFields': 'ENTER-VALUE', 'filter': 'ENTER-VALUE', 'pageSize': 'ENTER-VALUE'}}]

Send HTTP Request

http_headers = {'Authorization': 'Bearer ' + bearer_token, 'Accept': 'application/json','Content-Type': 'application/json'}
results = requests.get(endpoint, json=data, headers=http_headers, stream=False).json()

time.sleep(5)

Explore Output

query_status = requests.get(results['statusQueryGetUri'], headers=http_headers, stream=False).json()
query_results = query_status['output']
query_results