Clément Notin Profile picture
😈 Security research (#ActiveDirectory #EntraID) & pentest 🎉 #CTF @tipi_hack 👨‍💼 Works @TenableSecurity, opinions my own 🪂 https://t.co/4HRwJQ6PUm

Jan 26, 13 tweets

What I think happened in the Midnight Blizzard breach of Microsoft: how could they pivot from the test tenant to the production tenant using a OAuth application? 🤔⤵️
microsoft.com/en-us/security…

"Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment."
👀 Assuming we got access to this test tenant and we found this application (aka "app registration")

💪 It looks powerful given the "Directory.ReadWrite.All" MS Graph API permission it requests. But this permission isn't consented on this tenant so we can't do much. But perhaps we can get lucky 😉

We have compromised the app ("compromise a legacy test OAuth application")
For example by having the "Application Administrator" Entra built-in role in this test tenant.
🔑 Meaning we can add credentials to the app learn.microsoft.com/en-us/entra/id…

That allows to authenticate as the application's identity, via its Service Principal to be precise. But it doesn't have any permission consented in this tenant... So as expected we can't do something like creating a group for example 😔

But the report says that the test app "had elevated access to the Microsoft corporate environment". So let's reproduce this (before the attack of course) by switching to the prod tenant as a legit admin and consenting to the requested permission
<client_id> login.microsoftonline.com/common/adminco…

This creates the related Service Principal (aka "enterprise application") in the prod tenant. Notice how it has the same "Application ID" as the app in the test tenant.
And the dangerous API permission just consented is here 💣
The dangerous cocktail for the rest of the attack...

We can auth. with the same app ID and credentials, but this time targeting the prod tenant 🤞
It works and we see that we have the permission that was consented long before by a legitimate admin.
And for sure with this, we can do anything like creating a group, or much worse! 💥

Now the report continues: "The actor created additional malicious OAuth applications"
Ok so to do this, the test app would need to have been granted the "Application.ReadWrite.All" MS Graph API permission in the prod tenant. And even worse... 😨

Report also says that "The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes." 📬

Which could also mean that, like @_wald0 said , the test app certainly had the "AppRoleAssignment.ReadWrite.All" MS Graph API permission in the prod tenant too!
The SP in the prod tenant could have looked like this:

These allow to create a new app registration, and corresponding SP, in prod test and add credentials to the app

And finally also allowing to add and consent to the "full_access_as_app" application permission of the "Office 365 Exchange Online" API 💪
And the new SP looks like this with its new Exchange permissions allowing to read everyone's emails 🙈 (left as an exercise to you 😛)

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling