Skip to content

Commit

Permalink
Merge pull request #16 from JonasBK/update-readme
Browse files Browse the repository at this point in the history 
add missing functions to readme
  • Loading branch information
@andyrobbins
andyrobbins authored Oct 3, 2024
2 parents b20e803 + f77af57 commit 8475e94
Show file tree
Hide file tree
Showing 2 changed files with 109 additions and 42 deletions.
6 changes: 3 additions & 3 deletions BARK.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7124,7 +7124,7 @@ Function Test-AzureRMCreateFunction {
New-Variable -Name 'Test-AzureRMCreateFunctionDefinition' -Value (Get-Command -Name "Test-AzureRMCreateFunction") -Force
New-Variable -Name 'Test-AzureRMCreateFunctionAst' -Value (${Test-AzureRMCreateFunctionDefinition}.ScriptBlock.Ast.Body) -Force

function Invoke-AzureRMAbuseTests {
function Invoke-AllAzureRMAbuseTests {
<#
.SYNOPSIS
Performs all AzureRM abuse tests, or specified tests against AzureRM objects if specfied with AbuseTestType switch
Expand Down Expand Up @@ -7155,7 +7155,7 @@ function Invoke-AzureRMAbuseTests {
The ID of the target subscription
.EXAMPLE
C:\PS> Invoke-AzureRMAbuseTests `
C:\PS> Invoke-AllAzureRMAbuseTests `
-GlobalAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" `
-GlobalAdminSecret "<secret>" `
-UserAccessAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" `
Expand All @@ -7168,7 +7168,7 @@ function Invoke-AzureRMAbuseTests {
Perform all abuse tests, determines which available roles are able to perform all known abuse primitives
.EXAMPLE
C:\PS> Invoke-AzureRMAbuseTests `
C:\PS> Invoke-AllAzureRMAbuseTests `
-GlobalAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" `
-GlobalAdminSecret "<secret>" `
-UserAccessAdminClientID "76add5b8-33fe-4f8f-8afe-8b75ddfaa7ae" `
Expand Down
145 changes: 106 additions & 39 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ Primary author:
Andy Robbins [@_wald0](https://twitter.com/@_wald0)

Contributors:
Jonas Bülow Knudsen [@Jonas_B_K](https://twitter.com/Jonas_B_K)
Fabian Bader [@fabian_bader](https://twitter.com/fabian_bader)
CravateRouge [@CravateRouge](@https://github.com/CravateRouge)
g60ocR [@g60ocR](https://github.com/g60ocR)
- Jonas Bülow Knudsen [@Jonas_B_K](https://twitter.com/Jonas_B_K)
- Fabian Bader [@fabian_bader](https://twitter.com/fabian_bader)
- CravateRouge [@CravateRouge](https://github.com/CravateRouge)
- g60ocR [@g60ocR](https://github.com/g60ocR)

Getting Started
---------------
Expand All @@ -42,7 +42,7 @@ Running your first BARK commands

With very few exceptions, Azure API endpoints require authentication to interact with. BARK comes with a few functions that will help you acquire the necessary tokens for interacting with the MS Graph and Azure REST APIs. Any BARK function that interacts with an Azure API that requires authentication will require you to supply a token.

Let's say you want to list all of the users in an Azure Active Directory tenant. You first need to get a token scoped for MS Graph. There are many ways to get this token:
Let's say you want to list all of the users in an Entra ID tenant. You first need to get a token scoped for MS Graph. There are many ways to get this token:

If you have a username/password combination for an Entra user in that tenant, you can first acquire a refresh token for the user using BARK's ``Get-EntraRefreshTokenWithUsernamePassword`` function:

Expand All @@ -60,55 +60,122 @@ Once finished, the `$MyEntraUsers` variable will be populated by objects represe

Token Management and Manipulation Functions
-------------------------------------------

* ``Parse-JWTToken`` will take a Base64 encoded JWT as input and parse it for you. Useful for verifying correct token audience and claims.
* ``Get-AzureKeyVaultTokenWithClientCredentials`` requests a token from STS with Azure Vault specified as the resource/intended audience using a client ID and secret.
* ``Get-AzureKeyVaultTokenWithUsernamePassword`` requests a token from STS with Azure Vault specified as the resource/intended audience using a user-supplied username and password.
* ``Get-AzurePortalTokenWithRefreshToken`` requests an Azure Portal Auth Refresh token with a user-supplied refresh token.
* ``Get-AzureRMTokenWithClientCredentials`` requests an AzureRM-scoped JWT with a client ID and secret. Useful for authenticating as an Entra service principal.
* ``Get-AzureRMTokenWithPortalAuthRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied Azure Portal Auth Refresh token.
* ``Get-AzureRMTokenWithRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied refresh token.
* ``Get-AzureRMTokenWithUsernamePassword`` requests an AzureRM-scoped JWT with a user-supplied username and password.
* ``Get-EntraRefreshTokenWithUsernamePassword`` requests a collection of tokens, including a refresh token, from login.microsoftonline.com with a user-supplied username and password. This will fail if the user has Multi-Factor Authentication requirements or is affected by a Conditional Access Policy.
* ``Get-MSGraphTokenWithClientCredentials`` requests an MS Graph-scoped JWT with a client ID and secret. Useful for authenticating as an Entra service principal.
* ``Get-MSGraphTokenWithRefreshToken`` requests an MS Graph-scoped JWT with a user-supplied refresh token.
* ``Get-MSGraphTokenWithPortalAuthRefreshToken`` requests an MS Graph-scoped JWT with a user-supplied Azure Portal Auth Refresh token.
* ``Get-AzureRMTokenWithClientCredentials`` requests an AzureRM-scoped JWT with a client ID and secret. Useful for authenticating as an Entra service principal.
* ``Get-ARMTokenWithPortalAuthRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied Azure Portal Auth Refresh token.
* ``Get-ARMTokenWithRefreshToken`` requests an AzureRM-scoped JWT with a user-supplied refresh token.
* ``Get-AzurePortalTokenWithRefreshToken`` requests an Azure Portal Auth Refresh token with a user-supplied refresh token.

The refresh token-based functions in BARK are based on functions in [TokenTactics](https://github.com/rvrsh3ll/TokenTactics) by [Steve Borosh](https://twitter.com/424f424f)
* ``Get-MSGraphTokenWithRefreshToken`` requests an MS Graph-scoped JWT with a user-supplied refresh token.
* ``Get-MSGraphTokenWithUsernamePassword`` requests an MS Graph-scoped JWT with a user-supplied username and password.
* ``Parse-JWTToken`` will take a Base64 encoded JWT as input and parse it for you. Useful for verifying correct token audience and claims.

Abuse Functions
---------------
* ``Set-AZUserPassword`` will attempt to set the password of another user to a new user-provided value.
* ``Reset-AZUserPassword`` will attempt to reset the password of another user. If successful, the output will contain the new, Azure-generated password of the user
* ``New-AzureRMRoleAssignment`` will attempt to grant a user-specified AzureRM role assignment to a particular principal over a certain scope.
* ``New-AppRegSecret`` will attempt to create a new secret for an existing Entra app registration.
* ``New-ServicePrincipalSecret`` will attempt to create a new secret for an existing Entra service principal.
* ``New-AppRoleAssignment`` will attempt to grant an app role to a service principal. For example, you can use this to grant a service principal the RoleManagement.ReadWrite.Directory app role.
The refresh token-based functions in BARK are based on functions in [TokenTactics](https://github.com/rvrsh3ll/TokenTactics) by [Steve Borosh](https://twitter.com/424f424f).

Enumeration Functions
---------------------
* ``Get-AzureRMRoleDefinitions`` collects all role definitions described at a subscription scope, including custom roles.
* ``Get-MGAppRoles`` collects the app roles made available by the MS Graph service principal.
Entra Enumeration Functions
---------------------------
* ``Get-AllEntraApps`` collects all Entra application registration objects.
* ``Get-AllEntraGroups`` collects all Entra groups.
* ``Get-AllEntraRoles`` collects all Entra admin roles.
* ``Get-AllEntraServicePrincipals`` collects all Entra service principal objects.
* ``Get-AllEntraUsers`` collects all Entra users.
* ``Get-AllEntraGroups`` collects all Entra groups.
* ``Get-EntraAppOwner`` collects owners of an Entra app registration.
* ``Get-EntraDeviceRegisteredUsers`` collects users of an Entra device.
* ``Get-EntraGroupMembers`` collects members of an Entra group.
* ``Get-EntraGroupOwner`` collects owners of an Entra group.
* ``Get-EntraRoleTemplates`` collects Entra admin role templates.
* ``Get-EntraServicePrincipal`` collects an Entra service principal.
* ``Get-EntraServicePrincipalOwner`` collects owners of an Entra service principal.
* ``Get-EntraTierZeroServicePrincipals`` collects Entra service principals that have a Tier Zero Entra Admin Role or Tier Zero MS Graph App Role assignment.
* ``Get-MGAppRoles`` collects the app roles made available by the MS Graph service principal.

Azure Resource Manager Enumeration Functions
--------------------------------------------
* ``Get-AllAzureManagedIdentityAssignments`` collects all managed identity assignments.
* ``Get-AllAzureRMAKSClusters`` collects all kubernetes service clusters under a subscription.
* ``Get-AllAzureRMAutomationAccounts`` collects all automation accounts under a subscription.
* ``Get-AllAzureRMAzureContainerRegistries`` collects all container registies under a subscription.
* ``Get-AllAzureRMFunctionApps`` collects all function apps under a subscription.
* ``Get-AllAzureRMKeyVaults`` collects all key vaults under a subscription.
* ``Get-AllAzureRMLogicApps`` collects all logic apps under a subscription.
* ``Get-AllAzureRMResourceGroups`` collects all resouce groups under a subscription.
* ``Get-AllAzureRMSubscriptions`` collects all AzureRM subscriptions.
* ``Get-AllAzureRMVMScaleSetsVMs`` collects all virtual machines under a VM scale set.
* ``Get-AllAzureRMVMScaleSets`` collects all virtual machine scale sets under a subscription.
* ``Get-AllAzureRMVirtualMachines`` collects all virtual machines under a subscription.
* ``Get-AllAzureRMWebApps`` collects all web apps under a subscription.
* ``Get-AzureAutomationAccountRunBookOutput`` runs an automation account runbook and retrieves its output.
* ``Get-AzureFunctionAppFunctionFile`` collects the raw file (usually source code) of a function app function.
* ``Get-AzureFunctionAppFunctions`` collects all functions under a function app.
* ``Get-AzureFunctionAppMasterKeys`` collects all master keys under a function app.
* ``Get-AzureFunctionOutput`` runs a function app function and retrieves its output.
* ``Get-AzureRMKeyVaultSecretValue`` collects a key vault secret value.
* ``Get-AzureRMKeyVaultSecretVersions`` collects all versions of a key vault secret.
* ``Get-AzureRMKeyVaultSecrets`` collects all secrets under a key vault.
* ``Get-AzureRMRoleAssignments`` collects all role assignments against an object.
* ``Get-AzureRMRoleDefinitions`` collects all role definitions described at a subscription scope, including custom roles.
* ``Get-AzureRMWebApp`` collects a web app.

Intune Enumeration Functions
----------------------------
* ``Get-IntuneManagedDevices`` collects Intune-managed devices.
* ``Get-IntuneRoleDefinitions`` collects available Intune role definitions.

Entra Abuse Functions
---------------------
* ``Add-MemberToEntraGroup`` will attempt to add a principal to an Entra group.
* ``Enable-EntraRole`` will attempt to enables (or "activate") the Entra role.
* ``New-EntraAppOwner`` will attempt to add a new owner to an Entra app.
* ``New-EntraAppRoleAssignment`` will attempt to grant an app role to a service principal. For example, you can use this to grant a service principal the RoleManagement.ReadWrite.Directory app role.
* ``New-EntraAppSecret`` will attempt to create a new secret for an existing Entra app registration.
* ``New-EntraGroupOwner`` will attempt to add a new owner to an Entra group.
* ``New-EntraRoleAssignment`` will attempt to assign an Entra admin role to a specified principal.
* ``New-EntraServicePrincipalOwner`` will attempt to will attempt to add a new owner to an Entra service principal.
* ``New-EntraServicePrincipalSecret`` will attempt to create a new secret for an existing Entra service principal.
* ``Reset-EntraUserPassword`` will attempt to reset the password of another user. If successful, the output will contain the new, Azure-generated password of the user.
* ``Set-EntraUserPassword`` will attempt to set the password of another user to a new user-provided value.

Azure Resource Manager Abuse Functions
--------------------------------------
* ``Invoke-AzureRMAKSRunCommand`` will instruct the AKS cluster to execute a command.
* ``Invoke-AzureRMVMRunCommand`` will attempt to execute a command on a VM.
* ``Invoke-AzureRMWebAppShellCommand`` will attempt to execute a command on a web app container.
* ``Invoke-AzureVMScaleSetVMRunCommand`` will attempt to execute a command on a VM Scale Set VM.
* ``New-AzureAutomationAccountRunBook`` will attempt to add a runbook to an automation account.
* ``New-AzureKeyVaultAccessPolicy`` will attempt to grant a principal "Get" and "List" permissions on a key vault's secrets, keys, and certificates.
* ``New-AzureRMRoleAssignment`` will attempt to grant a user-specified AzureRM role assignment to a particular principal over a certain scope.
* ``New-PowerShellFunctionAppFunction`` will attempt to create a new PowerShell function in a function app.

Meta Functions
--------------
* ``Test-AzureRMAddSelfToAzureRMRole`` used in abuse validation testing to determine whether a service principal with certain rights can grant itself the User Access Admin role over a subscription.
* ``Test-AzureRMCreateFunction`` used in abuse validation testing to test if a service principal can add a new function to an existing function app.
* ``ConvertTo-Markdown`` is used for massaging output from the Invoke-Tests functions for usage in another platform.
* ``Invoke-AllAzureMGAbuseTests`` performs all abuse validation tests that can be executed by holding an MS Graph app role. Returns an object describing which privileges were successful at performing each abuse test.
* ``Invoke-AllAzureRMAbuseTests`` performs all AzureRM abuse validation tests and outputs a resulting object that describes which AzureRM roles granted the ability to perform each abuse.
* ``Remove-AbuseTestAzureRMRoles`` is a clean-up function for removing AzureRM admin roles created during testing.
* ``Remove-AbuseTestServicePrincipals`` cleans up abuse tests by removing the serivce principals that were created during testing.
* ``Invoke-AllEntraAbuseTests`` performs all abuse validation tests that can be executed by principals granted Entra admin roles. Returns an object describing which privileges were successful at performing each abuse test.
* ``New-EntraIDAbuseTestSPs`` creates a new service principal per active Entra admin role and grants each service principal the appropriate role. Returns plain text credentials created for each service prinicpal.
* ``New-EntraIDAbuseTestUsers`` creates a new user per active Entra admin role and grants each user the appropriate role. Returns plain text credentials created for each user.
* ``New-IntuneAbuseTestUsers`` creates a new user per Intune role and grants each user the appropriate role. Returns plain text credentials created for each user.
* ``New-MSGraphAppRoleTestSPs`` creates a new service principal per MS Graph app role and grants each service principal the appropriate role. Returns plain text credentials created for each service prinicpal.
* ``New-TestAppReg`` creates an application registration object for the explicit purpose of abuse validation testing.
* ``New-TestSP`` creates a new service principal and associates it with the app created by the above function.
* ``Remove-AbuseTestAzureRMRoles`` is a clean-up function for removing AzureRM admin roles created during testing.
* ``Remove-AbuseTestServicePrincipals`` cleans up abuse tests by removing the serivce principals that were created during testing.
* ``Test-AzureRMAddSelfToAzureRMRole`` used in abuse validation testing to determine whether a service principal with certain rights can grant itself the User Access Admin role over a subscription.
* ``Test-AzureRMCreateFunction`` used in abuse validation testing to test if a service principal can add a new function to an existing function app.
* ``Test-AzureRMPublishAutomationAccountRunBook`` is used to test whether a service principal can publish a new runbook to an existing automation account.
* ``Test-AzureRMVMRunCommand`` is used to test whether a principal can run a command on an existing VM.
* ``Test-MGAddMemberToNonRoleEligibleGroup`` is used to test whether the service principal can add itself to a non-role eligible group.
* ``Test-MGAddMemberToRoleEligibleGroup`` is used to test whether the service principal can add itself to a role eligible group.
* ``Test-MGAddOwnerToNonRoleEligibleGroup`` is used to test whether a service principal can grant itself explicit ownership of a non-role eligible group.
* ``Test-MGAddOwnerToRoleEligibleGroup`` is used to test whether a service principal can grant itself explicit ownership of a role eligiblee group.
* ``Test-MGAddRootCACert`` is used to test whether a service principal can add a new Root CA cert to the tenant.
* ``Test-MGAddSecretToApp`` is used to test whether the service principal can add a new secret to an existing app.
* ``Test-MGAddSecretToSP`` is used to test whether the service principal can add a new secret to an existing service principal.
* ``Test-MGAddSelfAsOwnerOfApp`` is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing Entra app.
* ``Test-MGAddSelfAsOwnerOfSP`` is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing Entra service principal.
* ``Test-MGAddSelfToEntraRole`` is used in abuse validation testing to determine whether a service principal with a particular privilege can add itself to an Entra admin role - Global Admin, for example.
* ``Test-MGAddSelfToMGAppRole``is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself a particular MS Graph app role without admin consent.
* ``Test-MGAddOwnerToRoleEligibleGroup`` is used to test whether a service principal can grant itself explicit ownership of a role assignable group.
* ``Test-MGAddMemberToRoleEligibleGroup`` is used to test whether the service principal can add itself to a role assignable group.
* ``Test-MGAddSecretToSP`` is used to test whether the service principal can add a new secret to an existing service principal.
* ``Test-MGAddSecretToApp`` is used to test whether the service principal can add a new secret to an existing app.
* ``Invoke-AllAzureMGAbuseTests`` performs all abuse validation tests that can be executed by holding an MS Graph app role. Returns an object describing which privileges were successful at performing each abuse test.
* ``Invoke-AllEntraAbuseTests`` performs all abuse validation tests that can be executed by principals granted Entra admin roles. Returns an object describing which privileges were successful at performing each abuse test.
* ``ConvertTo-Markdown`` is used for massaging output from the Invoke-<type>Tests functions for usage in another platform.
* ``Test-MGAddSelfToMGAppRole``is used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself a particular MS Graph app role without admin consent.

0 comments on commit 8475e94

Please sign in to comment.