New Name, Same Risks: Two Microsoft Entra ID Attack Paths

Posted by: Zur Ulianitzky and Bill Ben Haim
October 04, 2023
Microsoft Entra ID Attack Paths

For those not yet aware, Microsoft Entra ID is the new name for Azure AD, just announced this July.

By way of brief history, Azure AD is the cloud version of Active Directory (AD) – which has been in use since it was first introduced in 1999 as Microsoft Active Directory Domain Services for Windows 2000. AD was the default identity and access management service in Windows networks for decades, and Azure AD – now Entra ID – is the cloud-based version that extends the solution across both the cloud and on-prem apps. 

Entra ID is arguably one of the most mission-critical systems in any modern organization – critical for productivity, uptime and business continuity itself. And this is why security stakeholders pay extra attention to potential threats against this system. In this blog, we’ll look at how threat actors gain a foothold in Entra ID and examine two scenarios of what can happen next. 

We have been collecting and lecturing on attack techniques for Azure AD/Entra for years now and what we highlight in this blog are two semi-common techniques that organizations should be aware of.


The Preliminary Step: Foothold and Reconnaissance

Like in any system, threat actors generally gain footholds in Entra ID through a combination of tactics. Initially, they conduct reconnaissance to identify vulnerabilities, often exploiting outdated software or misconfigured settings. Then, before they start an attack and move laterally in Entra ID, they seek an initial foothold. They do this through a series of targeted techniques. While these techniques are usually sophisticated, they are also familiar. The most common include:

  • Phishing
  • Brute force
  • Password spraying
  • Harvesting user credentials stored on default paths
  • Harvesting application secreta or certificates
  • Abusing AD Connect
  • Abusing SSO features – PRT, AD Connect SSO

By way of example, to gain a foothold through AD Connect abuse, threat actors employ DLL injection into the “AzureADAuthenticationAgentService.exe” process to create a trampoline function that hooks the LogonUserW Win API. This allows them to backdoor and gain access to any user who logs in with a compromised password phrase, while also maintaining a record of successful authentication requests in a local file.

Next, hackers conduct reconnaissance – with the objective of gathering as much information as possible on both the Resource Manager and the Azure AD directory to find potential vulnerabilities or misconfiguration in the current configuration. 

So now let’s have a look at some examples of attack scenarios that can occur. This will enable orgs to become more aware of the threats they face and take proper steps to prevent such attacks.

Attack Scenario #1: Azure Active Directory to Resource Manager

The attacker establishes an initial foothold using an Azure AD user account. After acquiring user credentials, he or she conducts a reconnaissance phase to assess the user’s permissions and affiliations. Then, the attacker exploits application ownership to reset application passwords and leverages the application’s permissions to elevate himself to a higher-level group. Ultimately, she gains full control over the Azure Resource Manager subscription. 

Now, the attacker lists all application IDs and their display names using the ‘az ad app list’ command. Then, he works his way through each ID, using ‘Az ad app owner list’ to identify the owners of each application – looking for individuals with the necessary permissions.

The attacker discovers that one application possesses the critical ‘group.ReadWrite.All’ Graph app role permission, which enables her to modify group memberships. She digs deeper to identify this permission and its implications, realizing it allows her to manipulate the owner of non-assignable Azure AD groups within the Azure tenant. This includes permissions like ‘Directory.ReadWrite.All,’ ‘Group.ReadWrite.All,’ and ‘GroupMember.ReadWrite.All.’ With ownership of the application, the attacker can now reset its secret and authenticate on behalf of its service principal.

Having acquired this capability, the attacker searches for a group with elevated permissions and identifies the ‘Resource Manager Administrator’ group, which holds owner RBAC permissions at the subscription level. Now, to gain control, she needs the object IDs of both the target group and her own user account. By adding herself as an owner of the group, the attacker inherits the group’s permissions, effectively seizing control of Azure subscription.


Attack Scenario #2: Resource Manager to Azure Active Directory

The goal of this attack is to compromise the server, access sensitive data, and exfiltrate valuable information from the Azure AD tenant. This multi-stage attack requires sophistication in exploiting Azure resources.

The attack begins with stolen user credentials, then a reconnaissance phase to assess Azure resource permissions. The attacker exploits function app service access rights, stealing an access token linked to the app’s identity. Using this token, since the identity has Application Owner AAD Graph role, they can manipulate an Azure AD application by adding a secret. This app holds OneDrive permissions, granting the attacker unrestricted access to user OneDrive files within the Azure AD tenant.

The attacker identifies and lists Azure Function App sites, emphasizing their serverless nature. To access function triggers, they list functions and extract data like ‘Invoke_url_template’ and ‘Script_href.’

Next, the attacker gains function keys through ‘microsoft.web/sites/host/listkeys/action,’ enabling them to read and modify function code. Then, he exploits a code flaw to execute commands by overwriting functions with the Master key. Node.js modules (FS and Child Process) allow them to manipulate the remote machine.

Access to Azure AD app registrations reveals various graph permissions. Depending on permissions, the attacker can access, modify, or delete OneDrive files, even searching for specific keywords.


The Bottom Line

Microsoft Entra ID, formerly Azure AD, is the linchpin of many organizations – driving productivity, uptime, and business continuity. As such, it is increasingly targeted by threat actors with tactics ranging from the familiar, like phishing and brute force, to the sophisticated, including DLL injections and application abuse.

The above scenarios demonstrate how relentlessly attackers will pursue their malicious goals. Yet with resilience, vigilance, and strategic countermeasures, and as part of a comprehensive exposure management program, Entra ID security can emerge victorious in the battle for digital safety and organizational integrity.


Zur Ulianitzky and Bill Ben Haim

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.