0

We had a user's creds exposed and a threat actor used them to successfully log in to Azure CLI with the user's creds. We've since resolved the access issue using conditional access and our MFA (which admittedly was a hole). I'm trying to recreate the method of attack though and I can't seem to get it right. Here is the activity details for the malicious sign-in:

Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Windows Azure Service Management API
Resource ID
797f4846-ba00-4fd7-ba43-dac1f8f63013
Resource tenant ID
LEft out
Home tenant ID
Left out 
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
d2b4c9e3-9a2a-4360-8ba4-6ece086335c5
Unique token identifier
Left Out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
90ms
Flagged for review
No
User agent

Looks like they used ROPC detailed here https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

I've tried emulating it through Azure CLI directly but it doesn't report back "ROPC" as authentication. So they are definitely calling through ROPC. Then I tried emulating it with my creds in Postman and I get almost the same result as above in the sign-in log:

Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Microsoft Graph
Resource ID
00000003-0000-0000-c000-000000000000
Resource tenant ID
Left out
Home tenant ID
Left out
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
e10569b0-24e4-4495-9d9b-698b01290eae
Unique token identifier
Left out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
108ms
Flagged for review
No
User agent
PostmanRuntime/7.30.0

As you can see it's very similar, but mine is reporting "Microsoft Graph" while the malicious entry reports Windows Azure Service Management API. Can someone point me in the right direction?

sysadmintor
  • 1
  • 1

1 Answers1

0

Windows Azure Service Management API refers to the Azure Resource management API.

I tried checking Sign in Logs and the Service Principal Sign In’ Logs has Windows Azure Service Management API refer here :-

enter image description here

Note- The above sign in log is of the Service principal sign in with Client credentials flow. You can find that Service principal by copying its Application ID and pasting it in app registrations page or enterprise application page of Azure AD.

I tried to log in to Azure with service principal named Powershell with ROPC Flow via Postman

enter image description here

Received Access token like below :-

enter image description here

Called Graph API

enter image description here

Got resource as Microsoft Graph in Sign in Logs similar to you:-

enter image description here

Now, I tried calling Azure Resource management API to get list of Azure resources from my account with the same Flow and got the Resource set to Windows Azure Service Management API like below :-

Added Azure Service Management API permissions:

enter image description here

Now, I changed the scope to https://management.azure.com/default like below:

enter image description here

Fetch the access token from above call and ran below query to get list of resources:

enter image description here

When I checked sign in logs now, it’s showing ROPC with Windows Azure Service Management API resource like below:

enter image description here

SiddheshDesai
  • 3,668
  • 1
  • 2
  • 11
  • Thank you for your response! I tried that and it works for me. The only thing I'm wondering about is that they used Azure CLI as the app where as you are using "powershell" which you gave explicit permissions to Windows Azure Service Management API. They would not have been able to do that ( that I know of). So when I use your scope, I get this error: – sysadmintor Jan 31 '23 at 17:00
  • ADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.\r\nTrace ID: – sysadmintor Jan 31 '23 at 17:01
  • I now get almost the same but I get this response: Failure reason Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Additional Details A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register in portal.azure.com – sysadmintor Feb 02 '23 at 01:45
  • Have a look at this MS Doc -https://learn.microsoft.com/en-us/answers/questions/962674/401-aadsts65002-when-trying-to-authenticate-with-a By James – SiddheshDesai Feb 02 '23 at 08:51