security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1748 from WojciechLesicki/master

Browse Source 
T1098 - adding user and service principal to both Azure AD role and Azure role.
This commit is contained in:
Bhavin Patel
2022-02-03 09:54:23 -08:00
committed by GitHub
parent 454ad2308d 0e0df960e5
commit 5f8d08b7db
2 changed files with 589 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1098/T1098.md
+307
View File
@@ -10,6 +10,14 @@
- [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group)
- [Atomic Test #4 - Azure - adding user to Azure AD role](#atomic-test-4---azure---adding-user-to-azure-ad-role)
- [Atomic Test #5 - Azure - adding service principal to Azure AD role](#atomic-test-5---azure---adding-service-principal-to-azure-ad-role)
- [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role-in-subscription)
- [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
<br/>
@@ -196,4 +204,303 @@ echo Please run atomic test T1136.003, before running this atomic test
<br/>
## Atomic Test #4 - Azure - adding user to Azure AD role
The adversarie want to add user to some Azure AD role. Threat actor
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
**Supported Platforms:** Azure-ad
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
| role_name | Name of the targeted role | String | Global Reader|
#### Attack Commands: Run with `powershell`!
```powershell
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential
$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
```
#### Dependencies: Run with `powershell`!
##### Description: AzureAD module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name AzureAD -Force
```
<br/>
<br/>
## Atomic Test #5 - Azure - adding service principal to Azure AD role
The adversarie want to add service principal to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
**Supported Platforms:** Azure-ad
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
| service_principal_name | Name of the targeted service principal | String | SuperSP|
| role_name | Name of the targeted role | String | Global Reader|
#### Attack Commands: Run with `powershell`!
```powershell
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential
$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
```
#### Dependencies: Run with `powershell`!
##### Description: AzureAD module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name AzureAD -Force
```
<br/>
<br/>
## Atomic Test #6 - Azure - adding user to Azure role in subscription
The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor may be
interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to user in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
**Supported Platforms:** iaas:azure
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
| role_name | Name of the targeted role | String | Reader|
| subscription | Name of the targed subscription | String | Azure subscription 1|
#### Attack Commands: Run with `powershell`!
```powershell
Import-Module -Name Az.Resources
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential -ErrorAction Ignore
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
```
#### Dependencies: Run with `powershell`!
##### Description: Az.Resources module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name Az.Resources -Force
```
<br/>
<br/>
## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor may be
interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to service principal in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
**Supported Platforms:** iaas:azure
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
| service_principal_name | Name of the targeted service principal | String | SuperSP|
| role_name | Name of the targeted role | String | Reader|
| subscription | Name of the targed subscription | String | Azure subscription 1|
#### Attack Commands: Run with `powershell`!
```powershell
Import-Module -Name Az.Resources
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential
$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential -ErrorAction Ignore
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
```
#### Dependencies: Run with `powershell`!
##### Description: Az.Resources module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name Az.Resources -Force
```
<br/>
<br/>
atomics/T1098/T1098.yaml
+282
View File
@@ -128,4 +128,286 @@ atomic_tests:
aws iam delete-group --group-name #{username}
name: sh
- name: Azure - adding user to Azure AD role
description: |
The adversarie want to add user to some Azure AD role. Threat actor
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: String
default: jonh@contoso.com
password:
description: Azure AD password
type: String
default: p4sswd
user_principal_name:
description: Name of the targeted user (user principal)
type: String
default: SuperUser
role_name:
description: Name of the targed Azure AD role
type: String
default: Global Reader
dependencies:
- description: |
AzureAD module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name AzureAD -Force
executor:
command: |
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential
$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
cleanup_command: |
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
name: powershell
elevation_required: false
- name: Azure - adding service principal to Azure AD role
description: |
The adversarie want to add service principal to some Azure AD role. Threat actor
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
supported_platforms:
- azure-ad
input_arguments:
username:
description: Azure AD username
type: String
default: jonh@contoso.com
password:
description: Azure AD password
type: String
default: p4sswd
service_principal_name:
description: Name of the service principal
type: String
default: SuperSP
role_name:
description: Name of the targed Azure AD role
type: String
default: Global Reader
dependencies:
- description: |
AzureAD module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name AzureAD -Force
executor:
command: |
Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential
$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
cleanup_command: |
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
name: powershell
elevation_required: false
- name: Azure - adding user to Azure role in subscription
description: |
The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor
may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to user in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure AD username
type: String
default: jonh@contoso.com
password:
description: Azure AD password
type: String
default: p4sswd
user_principal_name:
description: Name of the targeted user (user principal)
type: String
default: SuperUser
role_name:
description: Name of the targed Azure role
type: String
default: Reader
subscription:
description: Name of the targed subscription
type: String
default: Azure subscription 1
dependencies:
- description: |
Az.Resources module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name Az.Resources -Force
executor:
command: |
Import-Module -Name Az.Resources
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
cleanup_command: |
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential -ErrorAction Ignore
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
name: powershell
elevation_required: false
- name: Azure - adding service principal to Azure role in subscription
description: |
The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor
may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to service principal in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure AD username
type: String
default: jonh@contoso.com
password:
description: Azure AD password
type: String
default: p4sswd
service_principal_name:
description: Name of the service principal
type: String
default: SuperSP
role_name:
description: Name of the targed Azure role
type: String
default: Reader
subscription:
description: Name of the targed subscription
type: String
default: Azure subscription 1
dependencies:
- description: |
Az.Resources module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name Az.Resources -Force
executor:
command: |
Import-Module -Name Az.Resources
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential
$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
cleanup_command: |
Import-Module -Name AzureAD -ErrorAction Ignore
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential -ErrorAction Ignore
$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
name: powershell
elevation_required: false