Listen to this Post
Introduction:
A recent vulnerability demonstration by security researcher Dirk-jan Mollema has sent shockwaves through the cloud security community. The exploit, dubbed “One Token to Rule Them All,” reveals a critical path for attackers to escalate privileges from a standard user to a Global Administrator within Azure Active Directory (Azure AD). This article deconstructs the technical mechanics of this attack, providing cybersecurity professionals with the knowledge to detect, mitigate, and prevent such compromises in their own environments.
Learning Objectives:
- Understand the vulnerability chain involving Azure AD Enterprise Applications, MS Graph, and the MSOL service.
- Learn to identify indicators of compromise (IoCs) associated with this specific privilege escalation technique.
- Implement defensive measures and hardening strategies to protect Azure AD tenants from similar attacks.
You Should Know:
- The Initial Foothold: Compromising an Azure AD User Account
The attack chain begins with a single compromised user account. This is typically achieved through phishing, password spraying, or other credential harvesting techniques. Once an attacker has the credentials for a standard user, they can authenticate and obtain an initial access token.` Example: Using curl with a compromised user’s access token to query MS Graph`
`curl -H “Authorization: Bearer” “https://graph.microsoft.com/v1.0/me”` This command uses the compromised user’s access token to query the Microsoft Graph API for the authenticated user’s profile information. This is a basic recon step to confirm token validity and understand the user’s context.
2. Enumerating Enterprise Applications for a Golden Opportunity
The core of the exploit involves abusing the permissions granted to existing Enterprise Applications (Service Principals) within the tenant. Attackers can enumerate these apps to find one with high-level privileges that can be misused.
` Using the AzureAD PowerShell Module (requires initial auth)`
`Get-AzureADServicePrincipal -All $true | Where-Object { $_.Tags -contains “WindowsAzureActiveDirectoryIntegratedApp” }`
This PowerShell command fetches all Service Principals and filters for those that are integrated apps. An attacker would analyze this list to find applications with high-privileged permissions, such as `Directory.ReadWrite.All` or RoleManagement.ReadWrite.Directory.
- The Golden Token: Forging a SAML Assertion for Privilege Escalation
The critical breakthrough involves exploiting the trust relationship between Azure AD and the legacy MSOline (MSOL) service. By forging a SAML assertion signed with the certificate of a high-privileged Enterprise Application, an attacker can request a token for the legacy service with the application’s elevated permissions.` Conceptual step: Using a tool like ‘ROADtools’ to forge a SAML token`
`python roadrecon auth –saml-cert–saml-app-id –saml-upn [email protected]` This conceptual command illustrates using a tool to generate a SAML assertion. The attacker uses the private key of the compromised Enterprise Application (obtained via other means) to sign a token impersonating a Global Administrator. This forged token is then presented to the legacy endpoint.
-
Leveraging the Legacy Endpoint: Trading a SAML Token for a Bearer Token
Azure AD’s legacy authentication endpoints, maintained for backward compatibility, do not properly validate the scope of the SAML token in the same way modern OAuth flows do. This allows the forged token to be exchanged for a valid OAuth bearer token for the MSOL service.` Using curl to exchange the forged SAML token for an MSOL token`
`curl -X POST “https://login.microsoftonline.com//oauth2/token” -H “Content-Type: application/x-www-form-urlencoded” -d “client_id= &grant_type=urn:ietf:params:oauth:grant-type:saml1&assertion= “` This POST request sends the forged SAML token to the legacy OAuth endpoint. The endpoint, trusting the signature from the Enterprise Application, returns a valid access token for the MSOL service, scoped with the application’s high privileges.
-
Achieving Global Admin: Assigning the Role via MS Graph
With the newly acquired MSOL token possessing `Directory.ReadWrite.All` permissions, the attacker can now modify the directory itself. The final step is to assign the coveted Global Administrator role to the initially compromised user account.` Using the MS Graph API to assign a directory role`
`curl -X POST “https://graph.microsoft.com/v1.0/directoryRoles//members/$ref” -H “Authorization: Bearer ” -H “Content-Type: application/json” -d ‘{“@odata.id”: “https://graph.microsoft.com/v1.0/directoryUsers/ “}’` This Graph API call adds the compromised user object to the directory role members list. The `
` corresponds to the Global Administrator role. The attacker can now log in as the original user, who now has ultimate power over the tenant.
6. Defensive Measure 1: Auditing Enterprise Application Permissions
Proactive defense is critical. Regularly audit all Enterprise Applications and their granted permissions. Remove any unnecessary high-level privileges and ensure the principle of least privilege is applied.
` PowerShell: Get all Service Principals and their granted permissions`
`Get-AzureADServicePrincipal -All $true | Select-Object DisplayName, AppId, ObjectId | Get-AzureADServiceAppRoleAssignedTo -All $true | Where-Object { $_.PrincipalType -eq “ServicePrincipal” } | Ft PrincipalDisplayName, ResourceDisplayName, Id`
This PowerShell command lists all permissions granted to service principals (applications). Look for apps with `Directory.ReadWrite.All` or other powerful `AppRole` assignments and validate if they are absolutely necessary.
- Defensive Measure 2: Monitoring for suspicious MSOL activity
Enable and monitor audit logs for unusual activity, particularly authentication events related to the legacy MSOL service client ID (d3590ed6-52b3-4102-aeff-aad2292ab01c) and token requests using the `saml1` grant type, which is rare in modern environments.` KQL Query for Azure Sentinel/Microsoft Defender for Cloud Apps (conceptual)`
`CloudAppEvents
| where ApplicationId == “d3590ed6-52b3-4102-aeff-aad2292ab01c”
| where RawEventData.Protocol == “OAuth2: SAML 1.0 Bearer”`
This Kusto Query Language (KQL) snippet helps hunt for log events involving the MSOL client ID and the specific SAML 1.0 Bearer grant type. Any such event should be investigated immediately.
What Undercode Say:
- The exploitation of legacy protocols and backward compatibility features remains a primary attack vector in modern cloud environments. Complexity is the enemy of security.
- Identity is the new perimeter. A compromise of a single low-privileged identity can no longer be treated as an isolated incident, as it can be the key that unlocks the entire kingdom.
This exploit is a stark reminder that cloud infrastructure, while powerful, introduces complex attack surfaces that many organizations are still learning to secure. The attack doesn’t rely on a traditional “bug” but rather on a flaw in the logic of trust relationships between modern and legacy components within Azure AD. It highlights the critical need for continuous monitoring, strict adherence to the principle of least privilege, and a deep understanding of the identity protocols in use within your environment. Defenders must assume breach and focus on detecting anomalous identity actions rather than solely preventing initial access.
Prediction:
This research will have an immediate and profound impact on cloud security practices. In the short term, we anticipate Microsoft will move to further deprecate or harden the legacy authentication endpoints involved, potentially breaking true legacy applications. For defenders, this will catalyze a industry-wide push for more rigorous auditing of Enterprise Application permissions and a greater focus on monitoring legacy protocol authentication. Offensively, this technique will be rapidly integrated into penetration testing frameworks and attacker playbooks, leading to a measurable increase in Azure AD privilege escalation attacks in the wild. In the long term, it reinforces the shift towards phishing-resistant authentication methods and Zero Trust architectures that explicitly minimize trust in any single token or session.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Dirkjanm One – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
