The Hunters Hut
The Hunters Hut

LuemmelSec/Custom-BloodHound-Queries

Article Excerpt

Collection of custom BloodHound queries New Azure stuff MS Graph related { "name": "Return All Service Principals with MS Graph App Role Assignments", "category": "Azure", "queryList": [ { "final": true, "query": "MATCH p=(m:AZServicePrincipal)-[r:AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_

property
value
tags
apt,attack-path,pkm-pocket-pipeline,ransomware,summarize-article
url
https://github.com/LuemmelSec/Custom-BloodHound-Queries
original_word_count
134

Long Summary

This article provides a comprehensive collection of custom BloodHound queries related to Azure that can be used to identify potential attack paths and security risks. It covers general queries, attack paths, MS Graph related queries, and Service Principal/Managed Identity related queries.

The general queries include returning all members of the 'Global Administrator' role, all members of high privileged roles, all members of high privileged roles that are synced from OnPrem AD, all Azure users that are synced from OnPrem AD, all Azure groups that are synced from OnPrem AD, all owners of Azure applications, and all Azure subscriptions.

The attack paths queries include finding all Azure users with a path to high value targets, OnPrem synced users with paths to high value targets, shortest paths to high value roles, Azure applications with paths to high value targets, all paths to Azure VMs, shortest paths to Azure VMs from owned Azure users, all paths to Azure KeyVaults, all paths to Azure KeyVaults from owned principals, shortest paths to Azure subscriptions, and paths to resources from Azure users and principals that don't hold an Azure role but the RBAC role "User Access Administrator".

The MS Graph related queries include returning all service principals with MS Graph AZMGGrantAppRoles rights, all service principals with MS Graph App Role Assignments, all direct controllers of MS Graph, and shortest paths to MS Graph.

The Service Principal/Managed Identity related queries include returning all Azure Service Principals, finding all VMs with a tied Managed Identity, and returning all Azure Service Principals that are Managed Identities.

The article then moves on to AADConnect related queries. The eighth query is used to return all Users and Azure Users possibly related to AADConnect. The ninth query is used to find all Sessions of possibly AADConnect related Accounts. The tenth query is used to find all AADConnect Servers (extracted from the SYNC_ Account names). The eleventh query is used to find the shortest paths to AADConnect Servers from Owned Users.

This article provides a comprehensive overview of the custom BloodHound queries related to Azure that can be used to identify potential attack paths and security risks. It covers general queries, attack paths, MS Graph related queries, and Service Principal/Managed Identity related queries, as well as AADConnect related queries. It is a useful resource for anyone looking to investigate Azure Service

Short Summary

šŸ““ LuemmelSec/Custom-BloodHound-Queries

šŸ‘‰šŸ½ Collection of custom BloodHound queries New Azure stuff MS Graph related { "name": "Return All Service Principals with MS Graph App Role Assignments", "category": "Azure", "queryList": [ { "final": true, "query": "MATCH p=(m:AZServicePrincipal)-[r:AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_ šŸ‘‰šŸ½ Comprehensive collection: A compilation of various custom BloodHound queries related to Azure. šŸ‘‰šŸ½ Identify potential attack paths: Helps in finding potential ways an attack can happen. šŸ‘‰šŸ½ Security risks: Aims to identify potential security risks in Azure. šŸ‘‰šŸ½ General queries: Includes queries related to various roles and subscription owners in Azure. šŸ‘‰šŸ½ Attack paths queries: Focuses on queries related to finding attack paths to high-value targets. šŸ‘‰šŸ½ MS Graph related queries: Queries involving MS Graph service principals and their permissions. šŸ‘‰šŸ½ Service Principal/Managed Identity queries: Queries related to Azure service principals and managed identities. šŸ‘‰šŸ½ AADConnect related queries: Specific queries related to AADConnect and its users and servers. šŸ‘‰šŸ½ Overview of custom BloodHound queries: Provides a comprehensive understanding of the queries. šŸ‘‰šŸ½ Useful resource for investigating Azure: Enables investigation of Azure service for potential security threats.

šŸ”— source link: https://github.com/LuemmelSec/Custom-BloodHound-Queries

šŸ”— summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/luemmelsec-custom-bloodhoundqueries

#AzureBloodHoundQueries #AttackPaths #MSGraphQueries #ServicePrincipalQueries #AADConnectQueries

LinkedIn

ThreatHunterz.com