From 4e0c81e09aa4e5544a8099502ac1312f3c920b62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?= Date: Tue, 1 Oct 2024 14:12:28 +0200 Subject: [PATCH 1/2] add missing functions to readme --- BARK.ps1 | 6 +-- README.md | 159 ++++++++++++++++++++++++++++++++++++++---------------- 2 files changed, 116 insertions(+), 49 deletions(-) diff --git a/BARK.ps1 b/BARK.ps1 index efa9bd7..5ccf117 100644 --- a/BARK.ps1 +++ b/BARK.ps1 @@ -7134,7 +7134,7 @@ Function Test-AzureRMCreateFunction { New-Variable -Name 'Test-AzureRMCreateFunctionDefinition' -Value (Get-Command -Name "Test-AzureRMCreateFunction") -Force New-Variable -Name 'Test-AzureRMCreateFunctionAst' -Value (${Test-AzureRMCreateFunctionDefinition}.ScriptBlock.Ast.Body) -Force -function Invoke-AzureRMAbuseTests { +function Invoke-AllAzureRMAbuseTests { <# .SYNOPSIS Performs all AzureRM abuse tests, or specified tests against AzureRM objects if specfied with AbuseTestType switch @@ -7165,7 +7165,7 @@ function Invoke-AzureRMAbuseTests { The ID of the target subscription .EXAMPLE - C:\PS> Invoke-AzureRMAbuseTests ` + C:\PS> Invoke-AllAzureRMAbuseTests ` -GlobalAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" ` -GlobalAdminSecret "" ` -UserAccessAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" ` @@ -7178,7 +7178,7 @@ function Invoke-AzureRMAbuseTests { Perform all abuse tests, determines which available roles are able to perform all known abuse primitives .EXAMPLE - C:\PS> Invoke-AzureRMAbuseTests ` + C:\PS> Invoke-AllAzureRMAbuseTests ` -GlobalAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" ` -GlobalAdminSecret "" ` -UserAccessAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" ` diff --git a/README.md b/README.md index b7a245d..a784628 100644 --- a/README.md +++ b/README.md @@ -42,73 +42,140 @@ Running your first BARK commands With very few exceptions, Azure API endpoints require authentication to interact with. BARK comes with a few functions that will help you acquire the necessary tokens for interacting with the MS Graph and Azure REST APIs. Any BARK function that interacts with an Azure API that requires authentication will require you to supply a token. -Let's say you want to list all of the users in an Azure Active Directory tenant. You first need to get a token scoped for MS Graph. There are many ways to get this token: +Let's say you want to list all of the users in an Entra ID tenant. You first need to get a token scoped for MS Graph. There are many ways to get this token: -If you have a username/password combination for an AzureAD user in that tenant, you can first acquire a refresh token for the user using BARK's ``Get-AZRefreshTokenWithUsernamePassword`` function: +If you have a username/password combination for an Entra user in that tenant, you can first acquire a refresh token for the user using BARK's ``Get-EntraRefreshTokenWithUsernamePassword`` function: - $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "arobbins@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" + $MyRefreshTokenRequest = Get-EntraRefreshTokenWithUsernamePassword -username "arobbins@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" The resulting object you just created, `$MyRefreshTokenRequest`, will have as part of it a refresh token for your user. You can now request an MS Graph-scoped token using this refresh token: $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" -Now this new object, `$MyMSGraphToken`, will have as one of its property values an MS Graph-scoped JWT for your user. You are now ready to use this token to list all the users in the AzureAD tenant: +Now this new object, `$MyMSGraphToken`, will have as one of its property values an MS Graph-scoped JWT for your user. You are now ready to use this token to list all the users in the Entra tenant: - $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress + $MyUsers = Get-AllEntraUsers -Token $MyMSGraphToken.access_token -ShowProgress -Once finished, the `$MyAADUsers` variable will be populated by objects representing all of the users in your AzureAD tenant. +Once finished, the `$MyEntraUsers` variable will be populated by objects representing all of the users in your Entra tenant. Token Management and Manipulation Functions ------------------------------------------- - -* ``Parse-JWTToken`` will take a Base64 encoded JWT as input and parse it for you. Useful for verifying correct token audience and claims. -* ``Get-AZRefreshTokenWithUsernamePassword`` requests a collection of tokens, including a refresh token, from login.microsoftonline.com with a user-supplied username and password. This will fail if the user has Multi-Factor Authentication requirements or is affected by a Conditional Access Policy. -* ``Get-MSGraphTokenWithClientCredentials`` requests an MS Graph-scoped JWT with a client ID and secret. Useful for authenticating as an AzureAD service principal. -* ``Get-MSGraphTokenWithRefreshToken`` requests an MS Graph-scoped JWT with a user-supplied refresh token. -* ``Get-MSGraphTokenWithPortalAuthRefreshToken`` requests an MS Graph-scoped JWT with a user-supplied Azure Portal Auth Refresh token. -* ``Get-AzureRMTokenWithClientCredentials`` requests an AzureRM-scoped JWT with a client ID and secret. Useful for authenticating as an AzureAD service principal. -* ``Get-ARMTokenWithPortalAuthRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied Azure Portal Auth Refresh token. -* ``Get-ARMTokenWithRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied refresh token. +* ``Get-AzureKeyVaultTokenWithClientCredentials`` requests a token from STS with Azure Vault specified as the resource/intended audience using a client ID and secret. +* ``Get-AzureKeyVaultTokenWithUsernamePassword`` requests a token from STS with Azure Vault specified as the resource/intended audience using a user-supplied username and password. * ``Get-AzurePortalTokenWithRefreshToken`` requests an Azure Portal Auth Refresh token with a user-supplied refresh token. +* ``Get-AzureRMTokenWithClientCredentials`` requests an AzureRM-scoped JWT with a client ID and secret. Useful for authenticating as an Entra service principal. +* ``Get-AzureRMTokenWithPortalAuthRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied Azure Portal Auth Refresh token. +* ``Get-AzureRMTokenWithRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied refresh token. +* ``Get-AzureRMTokenWithUsernamePassword`` requests an AzureRM-scoped JWT with a user-supplied username and password. +* ``Get-EntraRefreshTokenWithUsernamePassword`` requests a collection of tokens, including a refresh token, from login.microsoftonline.com with a user-supplied username and password. This will fail if the user has Multi-Factor Authentication requirements or is affected by a Conditional Access Policy. +* ``Get-MSGraphTokenWithClientCredentials`` requests an MS Graph-scoped JWT with a client ID and secret. Useful for authenticating as an Entra service principal. +* ``Get-MSGraphTokenWithPortalAuthRefreshToken`` requests an MS Graph-scoped JWT with a user-supplied Azure Portal Auth Refresh token. +* ``Get-MSGraphTokenWithRefreshToken`` requests an MS Graph-scoped JWT with a user-supplied refresh token. +* ``Get-MSGraphTokenWithUsernamePassword`` requests an MS Graph-scoped JWT with a user-supplied username and password. +* ``Parse-JWTToken`` will take a Base64 encoded JWT as input and parse it for you. Useful for verifying correct token audience and claims. -The refresh token-based functions in BARK are based on functions in [https://github.com/rvrsh3ll/TokenTactics](TokenTactics) by [https://twitter.com/424f424f](Steve Borosh) +The refresh token-based functions in BARK are based on functions in [TokenTactics](https://github.com/rvrsh3ll/TokenTactics) by [Steve Borosh](https://twitter.com/424f424f). + +Entra Enumeration Functions +--------------------------- +* ``Get-AllEntraApps`` collects all Entra application registration objects. +* ``Get-AllEntraGroups`` collects all Entra groups. +* ``Get-AllEntraRoles`` collects all Entra admin roles. +* ``Get-AllEntraServicePrincipals`` collects all Entra service principal objects. +* ``Get-AllEntraUsers`` collects all Entra users. +* ``Get-EntraAppOwner`` collects owners of an Entra app registration. +* ``Get-EntraDeviceRegisteredUsers`` collects users of an Entra device. +* ``Get-EntraGroupMembers`` collects members of an Entra group. +* ``Get-EntraGroupOwner`` collects owners of an Entra group. +* ``Get-EntraRoleTemplates`` collects Entra admin role templates. +* ``Get-EntraServicePrincipal`` collects an Entra service principal. +* ``Get-EntraServicePrincipalOwner`` collects owners of an Entra service principal. +* ``Get-EntraTierZeroServicePrincipals`` collects Entra service principals that have a Tier Zero Entra Admin Role or Tier Zero MS Graph App Role assignment. +* ``Get-MGAppRoles`` collects the app roles made available by the MS Graph service principal. -Abuse Functions ---------------- -* ``Set-AZUserPassword`` will attempt to set the password of another user to a new user-provided value. -* ``Reset-AZUserPassword`` will attempt to reset the password of another user. If successful, the output will contain the new, Azure-generated password of the user -* ``New-AzureRMRoleAssignment`` will attempt to grant a user-specified AzureRM role assignment to a particular principal over a certain scope. -* ``New-AppRegSecret`` will attempt to create a new secret for an existing AzureAD app registration. -* ``New-ServicePrincipalSecret`` will attempt to create a new secret for an existing AzureAD service principal. -* ``New-AppRoleAssignment`` will attempt to grant an app role to a service principal. For example, you can use this to grant a service principal the RoleManagement.ReadWrite.Directory app role. +Azure Resource Manager Enumeration Functions +-------------------------------------------- +* ``Get-AllAzureManagedIdentityAssignments`` collects all managed identity assignments. +* ``Get-AllAzureRMAKSClusters`` collects all kubernetes service clusters under a subscription. +* ``Get-AllAzureRMAutomationAccounts`` collects all automation accounts under a subscription. +* ``Get-AllAzureRMAzureContainerRegistries`` collects all container registies under a subscription. +* ``Get-AllAzureRMFunctionApps`` collects all function apps under a subscription. +* ``Get-AllAzureRMKeyVaults`` collects all key vaults under a subscription. +* ``Get-AllAzureRMLogicApps`` collects all logic apps under a subscription. +* ``Get-AllAzureRMResourceGroups`` collects all resouce groups under a subscription. +* ``Get-AllAzureRMSubscriptions`` collects all AzureRM subscriptions. +* ``Get-AllAzureRMVMScaleSetsVMs`` collects all virtual machines under a VM scale set. +* ``Get-AllAzureRMVMScaleSets`` collects all virtual machine scale sets under a subscription. +* ``Get-AllAzureRMVirtualMachines`` collects all virtual machines under a subscription. +* ``Get-AllAzureRMWebApps`` collects all web apps under a subscription. +* ``Get-AzureAutomationAccountRunBookOutput`` runs an automation account runbook and retrieves its output. +* ``Get-AzureFunctionAppFunctionFile`` collects the raw file (usually source code) of a function app function. +* ``Get-AzureFunctionAppFunctions`` collects all functions under a function app. +* ``Get-AzureFunctionAppMasterKeys`` collects all master keys under a function app. +* ``Get-AzureFunctionOutput`` runs a function app function and retrieves its output. +* ``Get-AzureRMKeyVaultSecretValue`` collects a key vault secret value. +* ``Get-AzureRMKeyVaultSecretVersions`` collects all versions of a key vault secret. +* ``Get-AzureRMKeyVaultSecrets`` collects all secrets under a key vault. +* ``Get-AzureRMRoleAssignments`` collects all role assignments against an object. +* ``Get-AzureRMRoleDefinitions`` collects all role definitions described at a subscription scope, including custom roles. +* ``Get-AzureRMWebApp`` collects a web app. -Enumeration Functions +Intune Enumeration Functions +---------------------------- +* ``Get-IntuneManagedDevices`` collects Intune-managed devices. +* ``Get-IntuneRoleDefinitions`` collects available Intune role definitions. + +Entra Abuse Functions --------------------- -* ``Get-AzureRMRoleDefinitions`` collects all role definitions described at a subscription scope, including custom roles. -* ``Get-MGAppRoles`` collects the app roles made available by the MS Graph service principal. -* ``Get-AllAzureADApps`` collects all AzureAD application registration objects. -* ``Get-AllAzureADServicePrincipals`` collects all AzureAD service principal objects. -* ``Get-AllAzureADUsers`` collects all AzureAD users. -* ``Get-AllAzureADGroups`` collects all AzureAD groups. -* ``Get-AllAzureRMSubscriptions`` collects all AzureRM subscriptions. +* ``Add-MemberToEntraGroup`` will attempt to add a principal to an Entra group. +* ``Enable-EntraRole`` will attempt to enables (or "activate") the Entra role. +* ``New-EntraAppOwner`` will attempt to add a new owner to an Entra app. +* ``New-EntraAppRoleAssignment`` will attempt to grant an app role to a service principal. For example, you can use this to grant a service principal the RoleManagement.ReadWrite.Directory app role. +* ``New-EntraAppSecret`` will attempt to create a new secret for an existing Entra app registration. +* ``New-EntraGroupOwner`` will attempt to add a new owner to an Entra group. +* ``New-EntraRoleAssignment`` will attempt to assign an Entra admin role to a specified principal. +* ``New-EntraServicePrincipalOwner`` will attempt to will attempt to add a new owner to an Entra service principal. +* ``New-EntraServicePrincipalSecret`` will attempt to create a new secret for an existing Entra service principal. +* ``Reset-EntraUserPassword`` will attempt to reset the password of another user. If successful, the output will contain the new, Azure-generated password of the user. +* ``Set-EntraUserPassword`` will attempt to set the password of another user to a new user-provided value. + +Azure Resource Manager Abuse Functions +-------------------------------------- +* ``Invoke-AzureRMAKSRunCommand`` will instruct the AKS cluster to execute a command. +* ``Invoke-AzureRMVMRunCommand`` will attempt to execute a command on a VM. +* ``Invoke-AzureRMWebAppShellCommand`` will attempt to execute a command on a web app container. +* ``Invoke-AzureVMScaleSetVMRunCommand`` will attempt to execute a command on a VM Scale Set VM. +* ``New-AzureAutomationAccountRunBook`` will attempt to add a runbook to an automation account. +* ``New-AzureKeyVaultAccessPolicy`` will attempt to grant a principal "Get" and "List" permissions on a key vault's secrets, keys, and certificates. +* ``New-AzureRMRoleAssignment`` will attempt to grant a user-specified AzureRM role assignment to a particular principal over a certain scope. +* ``New-PowerShellFunctionAppFunction`` will attempt to create a new PowerShell function in a function app. Meta Functions -------------- -* ``Test-AzureRMAddSelfToAzureRMRole`` used in abuse validation testing to determine whether a service principal with certain rights can grant itself the User Access Admin role over a subscription. -* ``Test-AzureRMCreateFunction`` used in abuse validation testing to test if a service principal can add a new function to an existing function app. +* ``ConvertTo-Markdown`` is used for massaging output from the Invoke-Tests functions for usage in another platform. +* ``Invoke-AllAzureMGAbuseTests`` performs all abuse validation tests that can be executed by holding an MS Graph app role. Returns an object describing which privileges were successful at performing each abuse test. * ``Invoke-AllAzureRMAbuseTests`` performs all AzureRM abuse validation tests and outputs a resulting object that describes which AzureRM roles granted the ability to perform each abuse. -* ``Remove-AbuseTestAzureRMRoles`` is a clean-up function for removing AzureRM admin roles created during testing. -* ``Remove-AbuseTestServicePrincipals`` cleans up abuse tests by removing the serivce principals that were created during testing. +* ``Invoke-AllEntraAbuseTests`` performs all abuse validation tests that can be executed by principals granted Entra admin roles. Returns an object describing which privileges were successful at performing each abuse test. +* ``New-EntraIDAbuseTestSPs`` creates a new service principal per active Entra admin role and grants each service principal the appropriate role. Returns plain text credentials created for each service prinicpal. +* ``New-EntraIDAbuseTestUsers`` creates a new user per active Entra admin role and grants each user the appropriate role. Returns plain text credentials created for each user. +* ``New-IntuneAbuseTestUsers`` creates a new user per Intune role and grants each user the appropriate role. Returns plain text credentials created for each user. +* ``New-MSGraphAppRoleTestSPs`` creates a new service principal per MS Graph app role and grants each service principal the appropriate role. Returns plain text credentials created for each service prinicpal. * ``New-TestAppReg`` creates an application registration object for the explicit purpose of abuse validation testing. * ``New-TestSP`` creates a new service principal and associates it with the app created by the above function. -* ``Test-MGAddSelfAsOwnerOfApp`` is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing AzureAD app. -* ``Test-MGAddSelfAsOwnerOfSP`` is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing AzureAD service principal. -* ``Test-MGAddSelfToAADRole`` is used in abuse validation testing to determine whether a service principal with a particular privilege can add itself to an AzureAD admin role - Global Admin, for example. -* ``Test-MGAddSelfToMGAppRole``is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself a particular MS Graph app role without admin consent. -* ``Test-MGAddOwnerToRoleEligibleGroup`` is used to test whether a service principal can grant itself explicit ownership of a role assignable group. -* ``Test-MGAddMemberToRoleEligibleGroup`` is used to test whether the service principal can add itself to a role assignable group. -* ``Test-MGAddSecretToSP`` is used to test whether the service principal can add a new secret to an existing service principal. +* ``Remove-AbuseTestAzureRMRoles`` is a clean-up function for removing AzureRM admin roles created during testing. +* ``Remove-AbuseTestServicePrincipals`` cleans up abuse tests by removing the serivce principals that were created during testing. +* ``Test-AzureRMAddSelfToAzureRMRole`` used in abuse validation testing to determine whether a service principal with certain rights can grant itself the User Access Admin role over a subscription. +* ``Test-AzureRMCreateFunction`` used in abuse validation testing to test if a service principal can add a new function to an existing function app. +* ``Test-AzureRMPublishAutomationAccountRunBook`` is used to test whether a service principal can publish a new runbook to an existing automation account. +* ``Test-AzureRMVMRunCommand`` is used to test whether a principal can run a command on an existing VM. +* ``Test-MGAddMemberToNonRoleEligibleGroup`` is used to test whether the service principal can add itself to a non-role eligible group. +* ``Test-MGAddMemberToRoleEligibleGroup`` is used to test whether the service principal can add itself to a role eligible group. +* ``Test-MGAddOwnerToNonRoleEligibleGroup`` is used to test whether a service principal can grant itself explicit ownership of a non-role eligible group. +* ``Test-MGAddOwnerToRoleEligibleGroup`` is used to test whether a service principal can grant itself explicit ownership of a role eligiblee group. +* ``Test-MGAddRootCACert`` is used to test whether a service principal can add a new Root CA cert to the tenant. * ``Test-MGAddSecretToApp`` is used to test whether the service principal can add a new secret to an existing app. -* ``Invoke-AllAzureMGAbuseTests`` performs all abuse validation tests that can be executed by holding an MS Graph app role. Returns an object describing which privileges were successful at performing each abuse test. -* ``Invoke-AllAzureADAbuseTests`` performs all abuse validation tests that can be executed by principals granted AzureAD admin roles. Returns an object describing which privileges were successful at performing each abuse test. -* ``ConvertTo-Markdown`` is used for massaging output from the Invoke-Tests functions for usage in another platform. +* ``Test-MGAddSecretToSP`` is used to test whether the service principal can add a new secret to an existing service principal. +* ``Test-MGAddSelfAsOwnerOfApp`` is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing Entra app. +* ``Test-MGAddSelfAsOwnerOfSP`` is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing Entra service principal. +* ``Test-MGAddSelfToEntraRole`` is used in abuse validation testing to determine whether a service principal with a particular privilege can add itself to an Entra admin role - Global Admin, for example. +* ``Test-MGAddSelfToMGAppRole``is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself a particular MS Graph app role without admin consent. \ No newline at end of file From f5b44d6d988cefd838f56c12596a2e319f4713e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?= Date: Tue, 1 Oct 2024 14:45:14 +0200 Subject: [PATCH 2/2] update readme --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a784628..d3c006d 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,10 @@ Primary author: Andy Robbins [@_wald0](https://twitter.com/@_wald0) Contributors: -Jonas Bülow Knudsen [@Jonas_B_K](https://twitter.com/Jonas_B_K) -Fabian Bader [@fabian_bader](https://twitter.com/fabian_bader) -CravateRouge [@CravateRouge](@https://github.com/CravateRouge) -g60ocR [@g60ocR](https://github.com/g60ocR) +- Jonas Bülow Knudsen [@Jonas_B_K](https://twitter.com/Jonas_B_K) +- Fabian Bader [@fabian_bader](https://twitter.com/fabian_bader) +- CravateRouge [@CravateRouge](https://github.com/CravateRouge) +- g60ocR [@g60ocR](https://github.com/g60ocR) Getting Started ---------------