a

src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md

@@ -11,7 +11,7 @@ For more information about SQL Database check:
 
 
 ### `Microsoft.DocumentDB/databaseAccounts/read` && `Microsoft.DocumentDB/databaseAccounts/write`
-With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level settings, adding or removing regions, changing consistency levels, and enabling or disabling features like multi-region writes.
+With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level configurations, enabling or disabling automatic failover, managing network access controls, setting backup policies, and adjusting consistency levels. Attackers with this permission could alter settings to weaken security controls, disrupt availability, or exfiltrate data by modifying network rules. 
 
 ```bash
 az cosmosdb update \
@@ -20,6 +20,22 @@ az cosmosdb update \
   --public-network-access ENABLED
 ```
 
+```bash
+az cosmosdb update \
+    --account-name <account_name> \
+    --resource-group <resource_group_name> \
+    --capabilities EnableMongoRoleBasedAccessControl
+```
+
+Additionally you can enable managed identities in the account:
+
+```bash
+az cosmosdb identity assign \
+    --name <cosmosdb_account_name> \
+    --resource-group <resource_group_name>
+```
+
+
 ### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write`
 With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns.
 
@@ -139,57 +155,5 @@ az cosmosdb mongodb database create \
   --name <database_name>
 ```
 
-### `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`
-With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users.
-
-```bash
-az cosmosdb mongodb role definition create \
-    --account-name <account_name> \
-    --resource-group <resource_group_name> \
-    --body '{
-        "Id": "<mydatabase>.readWriteRole",
-        "RoleName": "readWriteRole",
-        "Type": "CustomRole",
-        "DatabaseName": "<mydatabase>",
-        "Privileges": [
-            {
-                "Resource": {
-                    "Db": "<mydatabase>",
-                    "Collection": "mycollection"
-                },
-                "Actions": [
-                    "insert",
-                    "find",
-                    "update"
-                ]
-            }
-        ],
-        "Roles": []
-    }'
-```
-
-### `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`
-With this permission, you can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access levels to MongoDB databases.
-
-```bash
-az cosmosdb mongodb user definition create \
-    --account-name <account_name> \
-    --resource-group <resource_group_name> \
-    --body '{
-        "Id": "<mydatabase>.myUser",
-        "UserName": "myUser",
-        "Password": "mySecurePassword",
-        "DatabaseName": "<mydatabase>",
-        "CustomData": "TestCustomData",
-        "Mechanisms": "SCRAM-SHA-256",
-        "Roles": [
-            {
-                "Role": "readWriteRole",
-                "Db": "<mydatabase>"
-            }
-        ]
-    }'
-```
-
 {{#include ../../../banners/hacktricks-training.md}}