Contents

New-CKAzADServicePrincipal

Metadata

platform

Azure

contributors

Roberto Rodriguez @Cyb3rWard0g,MSTIC R&D

creation date

2021-08-05

modification date

2021-09-08

Tactics

TA0003

Techniques

T1136.003

Description

A threat actor might want to create a service principal for an existing Azure AD application.

Run Simulation

Get OAuth Access Token

from msal import PublicClientApplication
import requests
import time

public_client_app_id = "KATANA_CLIENT_APP_ID"
tenant_id = "TENANT_ID"
function_app_url = "https://FUNCTION_APP_NAME.azurewebsites.net"
scope = function_app_url + "/user_impersonation"

app = PublicClientApplication(
    public_client_app_id,
    authority="https://login.microsoftonline.com/" + tenant_id
)
result = app.acquire_token_interactive(scopes=[scope])
bearer_token = result['access_token']

Set Azure Function Orchestrator

endpoint = function_app_url + "/api/orchestrators/Orchestrator"

Prepare HTTP Body

data = [{'activityFunction': 'Azure', 'type': 'action', 'action': 'New-CKAzADServicePrincipal', 'parameters': {'appId': 'ENTER-VALUE'}}]

Send HTTP Request

http_headers = {'Authorization': 'Bearer ' + bearer_token, 'Accept': 'application/json','Content-Type': 'application/json'}
results = requests.get(endpoint, json=data, headers=http_headers, stream=False).json()

time.sleep(5)

Explore Output

query_status = requests.get(results['statusQueryGetUri'], headers=http_headers, stream=False).json()
query_results = query_status['output']
query_results
New-CKAzADApplication Update-CKAzADAppReqRscAccess