在 Azure AD 中重新创建恶意登录

Question

We had a user's creds exposed and a threat actor used them to successfully log in to Azure CLI with the user's creds. We've since resolved the access issue using conditional access and our MFA (which admittedly was a hole). I'm trying to recreate the method of attack though and I can't seem to get it right. Here is the activity details for the malicious sign-in:

Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Windows Azure Service Management API
Resource ID
797f4846-ba00-4fd7-ba43-dac1f8f63013
Resource tenant ID
LEft out
Home tenant ID
Left out 
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
d2b4c9e3-9a2a-4360-8ba4-6ece086335c5
Unique token identifier
Left Out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
90ms
Flagged for review
No
User agent

Looks like they used ROPC detailed here https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

I've tried emulating it through Azure CLI directly but it doesn't report back "ROPC" as authentication. So they are definitely calling through ROPC. Then I tried emulating it with my creds in Postman and I get almost the same result as above in the sign-in log:

Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Microsoft Graph
Resource ID
00000003-0000-0000-c000-000000000000
Resource tenant ID
Left out
Home tenant ID
Left out
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
e10569b0-24e4-4495-9d9b-698b01290eae
Unique token identifier
Left out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
108ms
Flagged for review
No
User agent
PostmanRuntime/7.30.0

As you can see it's very similar, but mine is reporting "Microsoft Graph" while the malicious entry reports Windows Azure Service Management API. Can someone point me in the right direction?

Answer 1

Windows Azure Service Management API refers to the Azure Resource management API.

I tried checking Sign in Logs and the Service Principal Sign In' Logs has Windows Azure Service Management API refer here:-

Note- The above sign in log is of the Service principal sign in with Client credentials flow. You can find that Service principal by copying its Application ID and pasting it in app registrations page or enterprise application page of Azure AD.

I tried to log in to Azure with service principal named Powershell with ROPC Flow via Postman

Received Access token like below:-

Called Graph API

Got resource as Microsoft Graph in Sign in Logs similar to you:-

Now, I tried calling Azure Resource management API to get list of Azure resources from my account with the same Flow and got the Resource set to Windows Azure Service Management API like below:-

Added Azure Service Management API permissions:

Now, I changed the scope to https://management.azure.com/default like below:

Fetch the access token from above call and ran below query to get list of resources:

When I checked sign in logs now, it's showing ROPC with Windows Azure Service Management API resource like below: