Grant Permission to Azure AD Application
Contents
Grant Permission to Azure AD Application¶
Metadata¶
platform |
Azure |
contributors |
Roberto Rodriguez @Cyb3rWard0g,MSTIC R&D |
creation date |
2021-08-05 |
modification date |
2021-08-09 |
Tactics |
|
Techniques |
Description¶
A threat actor might want to grant permissions (Delegated or Application) to an Azure AD application (Service Principal) via Microsoft Graph APIs and the right permissions.
Run Simulation¶
Get OAuth Access Token¶
from msal import PublicClientApplication
import requests
import time
function_app_url = "https://FUNCTION_APP_NAME.azurewebsites.net"
tenant_id = "TENANT_ID"
public_client_app_id = "KATANA_CLIENT_APP_ID"
server_app_id_uri = "api://" + tenant_id + "/cloudkatana"
scope = server_app_id_uri + "/user_impersonation"
app = PublicClientApplication(
public_client_app_id,
authority="https://login.microsoftonline.com/" + tenant_id
)
result = app.acquire_token_interactive(scopes=[scope])
bearer_token = result['access_token']
Set Azure Function Orchestrator¶
endpoint = function_app_url + "/api/orchestrators/Orchestrator"
Prepare HTTP Body¶
data = [{'RequestId': 'd2e3753d-7941-450a-b434-913368de3ee5', 'name': 'Grant Permission to Azure AD Application', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-08-09', 'description': 'A threat actor might want to grant permissions (Delegated or Application) to an Azure AD application (Service Principal) via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1098', 'tactics': ['TA0003']}]}, 'steps': [{'schema': 'atomic', 'id': '0721f7ce-f04b-4bdd-9fd1-aefc566aa0fb', 'name': 'Grant Permission to Azure AD Application', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-08-09', 'description': 'A threat actor might want to grant permissions (Delegated or Application) to an Azure AD application (Service Principal) via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1098', 'tactics': ['TA0003']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['AppRoleAssignment.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Grant-CKPermissions'}, 'parameters': {}}, 'number': 1}]}]
Send HTTP Request¶
http_headers = {'Authorization': 'Bearer ' + bearer_token, 'Accept': 'application/json','Content-Type': 'application/json'}
results = requests.get(endpoint, json=data, headers=http_headers, stream=False).json()
time.sleep(30)
Explore Output¶
query_status = requests.get(results['statusQueryGetUri'], headers=http_headers, stream=False).json()
query_results = query_status['output']
query_results