diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md index d12374b7b..3cdf81aa5 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md @@ -16,6 +16,43 @@ Note that by default any user can invite guests in Azure AD, so, If a dynamic gr Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`** +### Dynamic Groups Enumeration + +Get the rules of a dynamic group: + +With **Azure CLI**: + +```bash +az ad group list \ + --filter "groupTypes/any(c:c eq 'DynamicMembership')" \ + --query "[].{displayName:displayName, rule:membershipRule}" \ + -o table +``` + +With **PowerShell** and **Microsoft Graph SDK**: + +```bash +Install-Module Microsoft.Graph -Scope CurrentUser -Force +Import-Module Microsoft.Graph + +Connect-MgGraph -Scopes "Group.Read.All" + +Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" ` + -Property Id, DisplayName, GroupTypes + +# Get the rules of a specific group +$g = Get-MgGroup -Filter "displayName eq ''" ` + -Property DisplayName, GroupTypes, MembershipRule, MembershipRuleProcessingState + +$g | Select-Object DisplayName, GroupTypes, MembershipRule + +# Get the rules of all dynamic groups +Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" ` + -Property DisplayName, MembershipRule | + Select-Object DisplayName, MembershipRule +``` + + ### Example - **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")` @@ -43,6 +80,7 @@ az rest --method GET \ --query "otherMails" ``` + ## References - [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/)