This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright 2022 Almond (almond.consulting) | |
// | |
// Author: Yannick Méheut (ymeheut@almond.consulting) | |
// | |
// Accompanying blog post: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html | |
// | |
// Licensed under the Apache License, Version 2.0 (the "License"); | |
// you may not use this file except in compliance with the License. | |
// You may obtain a copy of the License at | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The script is part of the following article: https://www.scip.ch/en/?labs.20240404 | |
$myTenantId = "cdfdd915-c827-..." # The tenant registering the foreign application (Source: My Tenant) | |
$foreignTenantId = "d2a16643-37f9-4a19-..." # The tenant who is hosting the application (Source: Foreign Tenant) | |
$spPassword = "5YB8Q~iFPkt7WXYbqZkzi42BqpPgVJCWR-assd1" # The client secret from the app (Source: Foreign Tenant) | |
$appName = "foreignApp" # The app name (Source: Foreign Tenant) | |
# -------------- | |
#Step 0 (Foreign Tenant): Create an application in the portal | |
# -------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The script is part of the following article: https://www.scip.ch/en/?labs.20240404 | |
# -------------- | |
# Find foreign service principals with application permissions | |
# -------------- | |
Write-Host "[*] Log in with a user that has at least the Application.Read.All right `n" -ForegroundColor Green | |
Connect-MgGraph -scopes "Application.Read.All" -NoWelcome | |
Write-Host "[*] Output the connection context `n" -ForegroundColor Green | |
$mgcontext = Get-MgContext |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Install and import the AzureAD module (if not already installed) | |
#Install-Module AzureAD -Force | |
#Import-Module AzureAD | |
# Connect to Azure AD | |
Connect-AzureAD | |
# Get all Azure AD groups | |
$AllGroups = Get-AzureADGroup -All $true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-EffectiveAccess { | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] | |
[ValidatePattern('(?:(CN=([^,]*)),)?(?:((?:(?:CN|OU)=[^,]+,?)+),)?((?:DC=[^,]+,?)+)$')] | |
[alias('DistinguishedName')] | |
[string] $Identity, |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
begin-base64 644 - | |
Li9hZGVsZWctdjIuemlwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDY2NiAAMDAwMDAw | |
IAAwMDAwMDAgADAwMDEzMzMzMDAyIDE0NTc0MDc3NTU2IDAxMTcxMAAgMAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAgADAwMDAw | |
MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Connect to Microsoft Graphp | |
Connect-MgGraph | |
# Get list of FOCI clients and register them with Entra ID | |
(Invoke-WebRequest -Method GET -Uri 'https://raw.githubusercontent.com/secureworks/family-of-client-ids-research/main/known-foci-clients.csv' | ConvertFrom-Csv).client_id | ForEach-Object { | |
$sp = Get-MgServicePrincipal -Filter "appId eq '$_'" | |
if (-not $sp) { | |
$SPnew += New-MgServicePrincipal -AppId $_ | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$workdir = "C:\AzureAssessment\azurehound" # Dir with azurehound.exe | |
$tenant = "" # Tenant ID | |
#$refreshtoken = "" # Uncomment if you have a valid refreshtoken | |
# Define the scopes for Azure AD | |
$azAdScopes = "apps", "app-owners", "app-role-assignments", "devices", "device-owners", "groups", "group-members", "group-owners", "roles", "role-assignments", "service-principals", "service-principal-owners", "tenants", "users" | |
$jwtazAd = "graph.microsoft.com access token" | |
# Define the scopes for Azure Resource Manager | |
$azRmScopes = "automation-accounts", "automation-account-role-assignments", "container-registries", "container-registry-role-assignments", "function-apps", "function-app-role-assignments", "key-vaults", "key-vault-access-policies", "key-vault-contributors", "key-vault-kvcontributors", "key-vault-owners", "key-vault-role-assignments", "key-vault-user-access-admins", "logic-apps", "logic-app-role-assignments", "managed-clusters", "managed-cluster-role-assignments", "management-groups", "management-group-d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$TenantId = "" | |
$authUrl = "https://login.microsoftonline.com/$($TenantId)" | |
$body = @{ | |
"scope" = "https://management.azure.com/.default offline_access openid" | |
"client_id" = "d3590ed6-52b3-4102-aeff-aad2292ab01c" | |
"grant_type" = "refresh_token" | |
"refresh_token" = "" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fetch('https://name.azurewebsites.net/api/HttpTrigger1', { | |
method: 'POST', | |
body: "<yourcontent>", | |
headers: {'x-functions-key': 'key'} | |
}); |
NewerOlder