AZMGAddSecret

It is created against all Azure App Registrations and Service Principals when a Service Principal has one of the following MS Graph app roles:

• Application.ReadWrite.All
• RoleManagement.ReadWrite.Directory

You will not see this privilege when using just the Azure portal or any other Microsoft tooling. If you audit the roles and administrators affecting any particular Azure App or Service Principal, you will not see that the Service Principal can add secrets to the object, but it indeed can because of the parallel access management system used by MS Graph.

​

Abuse Info

There are several ways to perform this abuse, depending on what sort of access you have to the credentials of the object that holds this privilege against the target object. If you have an interactive web browser session for the Azure portal, it is as simple as finding the target App in the portal and adding a new secret to the object using the “Certificates & secrets” tab. Service Principals do not have this tab in the Azure portal but you can add secrets to them with the MS Graph API. No matter what kind of control you have, you will be able to perform this abuse by using BARK’s New-AppRegSecret or New-ServicePrincipalSecret functions.

These functions require you to supply an MS Graph-scoped JWT associated with the Service Principal that has the privilege to add secrets to the target object. There are several ways to acquire a JWT. For example, you may use BARK’s Get-MSGraphTokenWithClientCredentials to acquire an MS Graph-scoped JWT by supplying a Service Principal Client ID and secret:

$MGToken = Get-MSGraphTokenWithClientCredentials `

    -ClientID "34c7f844-b6d7-47f3-b1b8-720e0ecba49c" `

    -ClientSecret "asdf..." `

    -TenantName "contoso.onmicrosoft.com"

Then use BARK’s New-AppRegSecret to add a new secret to the target application:

New-AppRegSecret `

    -AppRegObjectID "d878..." `

    -Token $MGToken.access_token

The output will contain the plain-text secret you just created for the target app:

New-AppRegSecret `

    -AppRegObjectID "d878..." `

    -Token $MGToken.access_token



Name                Value

----                -----

AppRegSecretValue   odg8Q~...

AppRegAppId         4d31...

AppRegObjectId      d878...

With this plain text secret, you can now acquire tokens as the service principal associated with the app. You can easily do this with BARK’s Get-MSGraphToken function:

$SPToken = Get-MSGraphToken `

    -ClientID "4d31..." `

    -ClientSecret "odg8Q~..." `

    -TenantName "contoso.onmicrosoft.com"

Now you can use this JWT to perform actions against any other MS Graph endpoint as the service principal, continuing your attack path with the privileges of that service principal.

​

Opsec Considerations

When you create a new secret for an App or Service Principal, Azure creates an event called “Update application - Certificates and secrets management”. This event describes who added the secret to which application or service principal.

​

References

• https://attack.mitre.org/techniques/T1098/
• https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
• https://github.com/BloodHoundAD/BARK