Abuse Dynamic Groups in Entra ID for Privilege Escalation

The lab introduces a fun scenario where our red team needs to access the secret algorithm of Mega Big Tech's social media app. Along the way you will learn how to abuse dynamic security group membership, and much more!

Mega Big Tech want security to be their number one business priority, but acknowledge that they still have a way to go. Your red team is tasked with the objective of accessing the secret internal algorithm for their social app, and to help them improve their security along the way! We have identified a public GitHub repository that belongs to the company, can you use this to your advantage?

• Familiarity with Powershell and Windows CLI
• Basic understanding of Azure

• Identify and use Azure SAS Token in Git repository
• Blob Storage enumeration and exfiltration
• Entra ID and administrative unit enumeration
• Leverage User Administrator permissions to abuse dynamic groups
• Identify and use GitHub deploy keys

Administrative units are a commonly used Azure feature that enable scoped administration. We can think of them as a bit like organizational units in on-premises Active Directory environments, that can have group policies applied to them. Compromising a user that is able to update user profile values such as job title can allow us to increase our privileges by abusing security groups that have dynamic membership rules configured.