Microsoft Breach — How Can I See This In BloodHound?
Summary
On January 25, 2024, Microsoft announced Russia’s foreign intelligence service (i.e., Sluzhba vneshney razvedki Rossiyskoy Federatsii [SVR]) breached their corporate EntraID environment. We reviewed the information Microsoft’s team provided in their post which contained details significant enough to explain what likely resulted in the compromise of their environment. In this post, we’ll show you how to understand where similar Attack Paths may exist within your own Entra ID environments.
What Happened and What is the Attack Path?
I highly recommend reading Andy Robbins’ blog, “Microsoft Breach — What Happened (and What Should Azure Admins Do)?”, or our recent video describing the breach here, to understand the full scope of what we know based on Microsoft’s transparency report.
I’ll provide an extremely abbreviated version below.
Based on the breach details Microsoft provided, a critical part of SVR’s Attack Path involved abusing a foreign app registration with elevated privileges in Microsoft’s corporate Entra ID tenant. They state, “The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.” This roughly looks like the following (Figure 1):
Based on what Microsoft has shared, we learned several things:
- To grant a principal the full_access_as_app role without hitting the human-consent process that may indicate a compromise in an Entra ID environment (assuming that the principal is not already highly privileged, such as a Global Administrator), a service principal must have the AppRoleAssignment.ReadWrite.All MS Graph app role assigned
- If a principal holds the
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from Security BoulevardRead the original article: