m8r1us
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Copyright 2022 Almond (almond.consulting) | |
| // | |
| // Author: Yannick Méheut (ymeheut@almond.consulting) | |
| // | |
| // Accompanying blog post: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html | |
| // | |
| // Licensed under the Apache License, Version 2.0 (the "License"); | |
| // you may not use this file except in compliance with the License. | |
| // You may obtain a copy of the License at | |
| // |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The script is part of the following article: https://www.scip.ch/en/?labs.20240404 | |
| $myTenantId = "cdfdd915-c827-..." # The tenant registering the foreign application (Source: My Tenant) | |
| $foreignTenantId = "d2a16643-37f9-4a19-..." # The tenant who is hosting the application (Source: Foreign Tenant) | |
| $spPassword = "5YB8Q~iFPkt7WXYbqZkzi42BqpPgVJCWR-assd1" # The client secret from the app (Source: Foreign Tenant) | |
| $appName = "foreignApp" # The app name (Source: Foreign Tenant) | |
| # -------------- | |
| #Step 0 (Foreign Tenant): Create an application in the portal | |
| # -------------- |
m8r1us
/ checkForForeignServicePrincipals.ps1
Last active
April 8, 2024 14:37
Find foreign service principals
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The script is part of the following article: https://www.scip.ch/en/?labs.20240404 | |
| # -------------- | |
| # Find foreign service principals with application permissions | |
| # -------------- | |
| Write-Host "[*] Log in with a user that has at least the Application.Read.All right `n" -ForegroundColor Green | |
| Connect-MgGraph -scopes "Application.Read.All" -NoWelcome | |
| Write-Host "[*] Output the connection context `n" -ForegroundColor Green | |
| $mgcontext = Get-MgContext |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install and import the AzureAD module (if not already installed) | |
| #Install-Module AzureAD -Force | |
| #Import-Module AzureAD | |
| # Connect to Azure AD | |
| Connect-AzureAD | |
| # Get all Azure AD groups | |
| $AllGroups = Get-AzureADGroup -All $true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-EffectiveAccess { | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] | |
| [ValidatePattern('(?:(CN=([^,]*)),)?(?:((?:(?:CN|OU)=[^,]+,?)+),)?((?:DC=[^,]+,?)+)$')] | |
| [alias('DistinguishedName')] | |
| [string] $Identity, |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| begin-base64 644 - | |
| Li9hZGVsZWctdjIuemlwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
| AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDY2NiAAMDAwMDAw | |
| IAAwMDAwMDAgADAwMDEzMzMzMDAyIDE0NTc0MDc3NTU2IDAxMTcxMAAgMAAAAAAAAAAAAAAAAAAA | |
| AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
| AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
| AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAgADAwMDAw | |
| MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
| AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
| AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQ |
m8r1us
/ register_ms_serviceprincipals.ps1
Last active
February 27, 2024 09:36
Add well known Microsoft Service Principals to the Tenant
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Connect to Microsoft Graphp | |
| Connect-MgGraph | |
| # Get list of FOCI clients and register them with Entra ID | |
| (Invoke-WebRequest -Method GET -Uri 'https://raw.githubusercontent.com/secureworks/family-of-client-ids-research/main/known-foci-clients.csv' | ConvertFrom-Csv).client_id | ForEach-Object { | |
| $sp = Get-MgServicePrincipal -Filter "appId eq '$_'" | |
| if (-not $sp) { | |
| $SPnew += New-MgServicePrincipal -AppId $_ | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $workdir = "C:\AzureAssessment\azurehound" # Dir with azurehound.exe | |
| $tenant = "" # Tenant ID | |
| #$refreshtoken = "" # Uncomment if you have a valid refreshtoken | |
| # Define the scopes for Azure AD | |
| $azAdScopes = "apps", "app-owners", "app-role-assignments", "devices", "device-owners", "groups", "group-members", "group-owners", "roles", "role-assignments", "service-principals", "service-principal-owners", "tenants", "users" | |
| $jwtazAd = "graph.microsoft.com access token" | |
| # Define the scopes for Azure Resource Manager | |
| $azRmScopes = "automation-accounts", "automation-account-role-assignments", "container-registries", "container-registry-role-assignments", "function-apps", "function-app-role-assignments", "key-vaults", "key-vault-access-policies", "key-vault-contributors", "key-vault-kvcontributors", "key-vault-owners", "key-vault-role-assignments", "key-vault-user-access-admins", "logic-apps", "logic-app-role-assignments", "managed-clusters", "managed-cluster-role-assignments", "management-groups", "management-group-d |
m8r1us
/ MSGraph-to-AzureManagementToken.ps1
Created
February 19, 2024 13:11
MSGRAPH to AzureManagementToken
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $TenantId = "" | |
| $authUrl = "https://login.microsoftonline.com/$($TenantId)" | |
| $body = @{ | |
| "scope" = "https://management.azure.com/.default offline_access openid" | |
| "client_id" = "d3590ed6-52b3-4102-aeff-aad2292ab01c" | |
| "grant_type" = "refresh_token" | |
| "refresh_token" = "" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fetch('https://name.azurewebsites.net/api/HttpTrigger1', { | |
| method: 'POST', | |
| body: "<yourcontent>", | |
| headers: {'x-functions-key': 'key'} | |
| }); |
NewerOlder