From dba4a59778913bea44c456de5b0ff6b6eef0a6b4 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Wed, 6 Mar 2024 12:13:13 +0000
Subject: [PATCH] GITBOOK-595: change request with no subject merged in GitBook

---
 .../az-illicit-consent-grant.md                 | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-illicit-consent-grant.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-illicit-consent-grant.md
index 780598c07f..2bb3276d37 100644
--- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-illicit-consent-grant.md
+++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-illicit-consent-grant.md
@@ -9,7 +9,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
@@ -26,6 +26,14 @@ Only permissions that **doesn't require admin consent** are classified as **low
 
 Therefore, an attacker could prepare a **malicious App** and with a **phishing**, make the user **accept the App and steal his data**.
 
+### 2 Types of Illicit Consent Grant Attacks
+
+* **Unauthenticated**: From an external account create an application with the permissions `User.Read` and `User.ReadBasic.All` for example, phish a user, and you will be able to access directory information.
+  * This requieres the phised user to be able to accept OAuth apps from external environments!
+* **Authenticated**: Having compromised a principal with enough privileges, create an application inside the account and phish some privileged user which can accept privileged OAuth permissions.
+  * In this case you can already access the info of the directory, so the permission `User.ReadBasic.All` isn't no longer interesting.
+  * You are probable interested in **permissions that require and admin to grant them**, because raw user cannot give OAuth apps any permission, thats why you need to **phish only those users** (more on which roles/permissions grant this privilege later)
+
 ### Check if users allowed to consent
 
 The following PowerShell command is used to check the consent configuration for users in Azure Active Directory (Azure AD) regarding their ability to consent to applications:
@@ -39,7 +47,6 @@ PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAss
 * **Users can consent to all apps**: This setting is more permissive and allows all users to consent to any permissions for applications, as long as those permissions do not require administrative consent.
 * **Custom app consent policy**: This setting indicates that a custom policy is in place, which can be tailored to specific organizational requirements and may involve a combination of restrictions based on the app publisher, the permissions the app requests, and other factors.
 
-
 ## **Understanding Illicit Consent Grant Attack**
 
 In an illicit consent grant attack, attackers trick end users into granting permissions to a malicious application registered with Azure. This is done by making the application appear legitimate, leading victims to unknowingly click an "Accept" button. As a result, Azure AD issues a token to the attacker's site, allowing them to access and manipulate the victim's data, such as reading or sending emails and accessing files, without needing an organizational account.
@@ -49,11 +56,8 @@ In an illicit consent grant attack, attackers trick end users into granting perm
 The attack involves several steps targeting a generic company. Here's how it might unfold:
 
 1. **Domain Registration and Application Hosting**: The attacker registers a domain resembling a trustworthy site, for example, "safedomainlogin.com". Under this domain, a subdomain is created (e.g., "companyname.safedomainlogin.com") to host an application designed to capture authorization codes and request access tokens.
-
 2. **Application Registration in Azure AD**: The attacker then registers a Multi-Tenant Application in their Azure AD Tenant, naming it after the target company to appear legitimate. They configure the application's Redirect URL to point to the subdomain hosting the malicious application.
-
 3. **Setting Up Permissions**: The attacker sets up the application with various API permissions (e.g., `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read`). These permissions, once granted by the user, allow the attacker to extract sensitive information on behalf of the user.
-
 4. **Distributing Malicious Links**: The attacker crafts a link containing the client id of the malicious application and shares it with targeted users, tricking them into granting consent.
 
 ## **Utilizing Tools for the Attack**
@@ -61,6 +65,7 @@ The attack involves several steps targeting a generic company. Here's how it mig
 The attack can be facilitated using tools like [**365-Stealer**](https://github.com/AlteredSecurity/365-Stealer).
 
 ### Pre-Attack Preparation:
+
 If the attacker has some level of access to a user in the victim organization, they might check if the organization's policy allows the user to accept apps:
 
 ```powershell
@@ -180,7 +185,7 @@ Other ways to support HackTricks:
 * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>