Contents

Get Azure AD Directory Roles

Contents

Get Azure AD Directory Roles#

Metadata#


platform	Azure
contributors	Roberto Rodriguez @Cyb3rWard0g,MSTIC R&D
creation date	2021-08-22
modification date	2021-09-08
Tactics	TA0007
Techniques	T1069.003

Description#

A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.

Run Simulation#

Get OAuth Access Token#

from msal import PublicClientApplication
import requests
import time

function_app_url = "https://FUNCTION_APP_NAME.azurewebsites.net"

tenant_id = "TENANT_ID"
public_client_app_id = "KATANA_CLIENT_APP_ID"
server_app_id_uri = "api://" + tenant_id + "/cloudkatana"
scope = server_app_id_uri + "/user_impersonation"

app = PublicClientApplication(
    public_client_app_id,
    authority="https://login.microsoftonline.com/" + tenant_id
)
result = app.acquire_token_interactive(scopes=[scope])
bearer_token = result['access_token']

Set Azure Function Orchestrator#

endpoint = function_app_url + "/api/orchestrators/Orchestrator"

Prepare HTTP Body#

data = [{'RequestId': 'dac5b8fb-3ebe-476c-9e73-a6ce30e388da', 'name': 'Get Azure AD Directory Roles', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': 'd782c5cf-153c-4588-b153-dc54e35afa7f', 'name': 'Get Azure AD Directory Roles', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Directory.Read.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKAzADDirectoryRoles'}}, 'file_name': 'get_azure_ad_directory_roles', 'number': 1}]}]

Send HTTP Request#

http_headers = {'Authorization': 'Bearer ' + bearer_token, 'Accept': 'application/json','Content-Type': 'application/json'}
results = requests.get(endpoint, json=data, headers=http_headers, stream=False).json()

time.sleep(30)

Explore Output#

query_status = requests.get(results['statusQueryGetUri'], headers=http_headers, stream=False).json()
query_results = query_status['output']
query_results