Skip to content

Commit 84b8efa

Browse files
committed
dynamic groups
1 parent d25a46d commit 84b8efa

File tree

1 file changed

+38
-0
lines changed
  • src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc

1 file changed

+38
-0
lines changed

src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,43 @@ Note that by default any user can invite guests in Azure AD, so, If a dynamic gr
1616

1717
Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`**
1818

19+
### Dynamic Groups Enumeration
20+
21+
Get the rules of a dynamic group:
22+
23+
With **Azure CLI**:
24+
25+
```bash
26+
az ad group list \
27+
--filter "groupTypes/any(c:c eq 'DynamicMembership')" \
28+
--query "[].{displayName:displayName, rule:membershipRule}" \
29+
-o table
30+
```
31+
32+
With **PowerShell** and **Microsoft Graph SDK**:
33+
34+
```bash
35+
Install-Module Microsoft.Graph -Scope CurrentUser -Force
36+
Import-Module Microsoft.Graph
37+
38+
Connect-MgGraph -Scopes "Group.Read.All"
39+
40+
Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
41+
-Property Id, DisplayName, GroupTypes
42+
43+
# Get the rules of a specific group
44+
$g = Get-MgGroup -Filter "displayName eq '<GROUP NAME>'" `
45+
-Property DisplayName, GroupTypes, MembershipRule, MembershipRuleProcessingState
46+
47+
$g | Select-Object DisplayName, GroupTypes, MembershipRule
48+
49+
# Get the rules of all dynamic groups
50+
Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
51+
-Property DisplayName, MembershipRule |
52+
Select-Object DisplayName, MembershipRule
53+
```
54+
55+
1956
### Example
2057

2158
- **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")`
@@ -43,6 +80,7 @@ az rest --method GET \
4380
--query "otherMails"
4481
```
4582
83+
4684
## References
4785
4886
- [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/)

0 commit comments

Comments
 (0)