OAuth
is a protocol to delegate access and grant third party websites or
applications access to users data and perform operations on their behalf. With
OAuth
, users don’t have to reveal their credentials to the third party
service, as access is granted through the Identity Provider (IdP)
(Azure AD
in Azure
case).
OAuth
applications can be leveraged by threat actors:
-
In illicit consent grant phishing attacks. A victim authorizes a malicious third-party
OAuth
application to access their account data. However Microsoft implemented security measures in November 2020 to limit this kind of attack. An administrator’s approval is now required for sensitive permission requests made by unverified application created outside the tenant. -
To maintain persistence in the tenant.
-
As an automation tool, to automate operations such as virtual machines creation for cryptomining activity.
Microsoft Graph supports two access types, delegated permissions and application permissions. With delegated permissions, the application calls Microsoft Graph on behalf of a signed-in user. With application permissions, the application calls Microsoft Graph with its own identity, without a signed in user.
The delegated and application permissions available are referenced in the Microsoft documentation.
Microsoft-Extractor-Suite
’s
Get-OAuthPermissions
PowerShell cmdlet can be used to enumerate delegated
permissions (OAuth2PermissionGrants
) and application permissions
(AppRoleAssignments
) for all accounts:
Get-OAuthPermissions
References
View on GitHub