Lateral Movement from Azure Portal to Microsoft Graph CLI
In today's interconnected cloud environments, security professionals must stay vigilant about potential attack vectors. One such vector involves lateral movement from the Azure Portal to the Microsoft Graph CLI. Understanding how threat actors exploit these tools to move laterally across a network is crucial for enhancing our security postures.
This blog aims to shed light on the mechanisms and techniques used for lateral movement between these platforms. We will explore how attackers can transition from the Azure Portal to the Microsoft Graph CLI, leveraging permissions and tokens to escalate their privileges and gain deeper access to organizational resources.
The diagram illustrates the process of obtaining and utilizing access tokens for lateral movement between Azure services. The flow begins with accessing the Azure Portal, where the user launches the Cloud Shell.
Azure Portal to Cloud Shell: The user initiates the Cloud Shell from the Azure Portal.
Authorization Access Token: During the authorization phase, the user extracts the access token using a browser tool.
Accessing Microsoft Azure Resource Manager: The extracted access token is used to connect to the Microsoft Azure Resource Manager.
Command Line Generated Access Token: Within Cloud Shell, the user generates an access token via the CLI.
Interacting with Microsoft Graph: The generated access token is then used to interact with Microsoft Graph, enabling further operations and potential lateral movement within the Azure environment.
This process demonstrates how access tokens can be obtained and utilized to navigate and interact with various Azure services securely. Initial access requires entry into the Azure Portal and Cloud Shell. Open Cloud Shell by clicking the icon in the top right corner of the screen.
Interact with the command line and request an Azure Access Token as shown below. This command will generate an access token for the Graph API, which can then be used to interact with the server using the Microsoft Graph PowerShell module.
(Get-AzAccessToken -Resource https://graph.microsoft.com).Token
Visit jwt.ms to decode the recently extracted access token. The aud (audience) field identifies the recipients that the JWT is intended for. In this case, it is graph.microsoft.com, which can be leveraged for the connect-mggraph command.
Below is a list of other audiences that can be targeted for lateral movement:
An interesting audience to leverage is the https://graph.windows.net API, as Microsoft does not have the capability to log events interacting with this API. Applications Ping Castle, GraphSpy, Bloodhound Azure (AzureHound) can utilize many of these tokens. Depending on the requirements, additional scopes may need to be added.
Copy the access token from the Azure Portal and paste it into a variable called gAccessToken. Then, run the Connect-MgGraph command as shown below. After that, execute Get-MgUser to retrieve a list of users available in the Azure AD tenant.
$gAccessToken = “eyJ0...“
Connect-MgGraph -AccessToken ($gAccessToken | ConvertTo-SecureString -AsPlainText -Force)
Get-MgUser
There is an additional opportunity to use an access token during the authorization phase of launching the Cloud Shell. By searching for network communication directed towards the authorization endpoint, you can identify and copy the access token.
This access token is authorized for Azure Resource Manager. Copy the App ID (jwt.ms) and access token, and use this to connect via Connect-AzAccount.
Use Connect-AzAccount command to authenticate, and then establish our access context, and even request additional access tokens.
Connect-AzAccount -AccessToken "eyJ0e" -AccountId "appid_inside_jwt"
Get-AzContext
(Get-AzAccessToken).token
