diff --git a/src/SUMMARY.md b/src/SUMMARY.md index d05776c71..2b0939b02 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -398,8 +398,8 @@ - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md) - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md) - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md) - - [Az - Storage Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md) - - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md) + - [Az - Storage Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md) + - [Az - VMs Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md) - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) - [Az - Services](pentesting-cloud/azure-security/az-services/README.md) diff --git a/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md index c7418d0af..875c6a0f9 100644 --- a/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md +++ b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md @@ -2,9 +2,30 @@ {{#include ../../banners/hacktricks-training.md}} -To start a white box hardening review of some Entra ID tenats you need to ask for **Global Reader role on each tenant**. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the **Reader permissions over all the subscriptions**. +To start a white box hardening review of some Entra ID tenats you need to ask for **`Global Reader` role on each tenant**. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the **`Reader`role over all the subscriptions**. Note that if those roles aren't enough to access all the info you need, you could also ask the client for roles with the permissions you need. Just try to **minimize the amount of not read-only permissions you ask for!** +Another option is to ask for **`Security Reader` role** instead of `Reader` if the client complaints to reduce the granted privileges. However, this increases the possibility of the pentester asking for more read roles later as the `Reader` role grants `"*/read"` while the `Security Reader` role grants: + +```json +"actions": [ + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/read", + "Microsoft.operationalInsights/workspaces/*/read", + "Microsoft.Resources/deployments/*/read", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Security/*/read", + "Microsoft.IoTSecurity/*/read", + "Microsoft.Support/*/read", + "Microsoft.Security/iotDefenderSettings/packageDownloads/action", + "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action", + "Microsoft.Security/iotSensors/downloadResetPassword/action", + "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action", + "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action", + "Microsoft.Management/managementGroups/read" +] +``` + {{#include ../../banners/hacktricks-training.md}}