Introduction
PurpleCloud is an open-source Azure Cyber Range that can be used to quickly setup an Azure AD security lab filled with Azure resources. These resources enable a quick and safe way to test, evaluate, and understand Service Principal abuse attack primitives. Run it like this:
$ python3 azure_ad.py -c 25 --upn <domain> --apps 7 -aa -ga -pra
This command above generates all of the declarative terraform files you need to build, manage, and destroy the range.
Resources Created
PurpleCloud is a terraform code generator. It creates HCL formatted terraform files, quickly creating simulations labs for a variety of use cases. You can check out all of the new generators here. This one above is for Azure AD security simulations. The resources created in the example above:
- 25 Azure AD users with a randomly generated password
- 7 Azure AD Applications
- 1 Application Administrator role randomly assigned to one of the 25 users
- A Global Administrator role randomly assigned to one of the 7 apps
- A Privileged Role Administrator (PRA) role randomly assigned to one of the 7 apps
Attack Overview & Prior Work
This privilege escalation attack scenario sets up a Service Principal abuse attack primitive that has been documented in the past by Andy Robbins [1] and Dirk-jan Mollema [2]. Read their two blogs to get details. The attack primitive allows an Application Administrator to elevate any user’s privilege or role to Global Administrator. It works like this:
- An AAD user assigned to Application Administrator exists in the tenant
- Application Administrators have powerful privileges, allowing full management of application registrations. They can add new secrets to an application.
- An Application exists in the tenant with Privileged Role Administrator (PRA) role assigned. PRA role allows adding any privileged Role Assignments, including adding roles to the Global Administrator.
- The Application Administrator adds a secret to the PRA application, allowing them to login to Azure using the PRA’s Service Principal.
- Regular users can login as Service Principals, after generating app secrets.
- After logging in as the PRA Service Principal, the Application Administrator elevates any Azure AD user (including their own username) to Global Administrator.
The great idea and summary here is that you can’t reset passwords using the front end portal at https://portal.azure.com for the same users. But it is an effective technique via the backend, using Service Principals.
The Attack Scripts
PurpleCloud includes two attack scripts that automate this privilege escalation scenario. The first script performs reconnaissance. The second script exploits the setup, elevating any Azure AD user to Global Administrator. These two scripts can be found here.
Demo Video
References
[1] Andy Robbins, SpectreOps:
Azure Privilege Escalation via Service Principal Abuse
[2] Dirk-jan Mollema
https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/