Dynamic Group Memberships exploitation

As a user, we can invite accounts that meet the criteria for the dynamic group, then when the guest account is ready to go, the user gains applied roles and is a member of the exploited dynamic group.

Steps

1) Check for Dynamic Groups

Identify any dynamic groups and select one.

2) Verify Dynamic Membership Rules

Click on the dynamic group and select "Dynamic membership rules."

Ensure that it's possible to invite a user that complies with the rule.

3) Invite a New Guest User

Go to "Users" and select "New Guest User."

Follow the prompts to invite the guest user.

Open the user's profile and click on "(manage)" under invitation accepted.

Select "YES" to resend the invite and copy the URL.

Open the URL in a private browser, log in, and accept the permissions.

4) Connect to the Tenant with AzureAD

Connect-AzureAD

5) Set Secondary Email for the User

Get the ObjectID of the user from the portal where the guest invitation was made.

Import-Module .\AzureADPreview.psd1

Get-AzureADMSGroup | Where-Object { $_.GroupTypes -match 'DynamicMembership' } | Format-List *
Set-AzureADUser -ObjectId <USER OBJECT ID> -OtherMails <SECONDARY EMAIL> -Verbose

6) Check if the User is Added to the Dynamic Group

It might take some time for the user to be added to the dynamic group.

Get-AzureADGroupMember -ObjectId <DYNAMIC GROUP OBJECT ID>

PreviousDumping Azure storage keys NextExecuting VM extensions

Last updated 4 months ago

hashtagAs a user, we can invite accounts that meet the criteria for the dynamic group, then when the guest account is ready to go, the user gains applied roles and is a member of the exploited dynamic group.

hashtagSteps

hashtag1) Check for Dynamic Groups

hashtag2) Verify Dynamic Membership Rules

hashtag3) Invite a New Guest User

hashtag4) Connect to the Tenant with AzureAD

hashtag5) Set Secondary Email for the User

hashtag6) Check if the User is Added to the Dynamic Group