gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

dynamic groups

Browse Source
This commit is contained in:
carlospolop
2025-11-19 18:15:02 +01:00
parent d25a46d41c
commit 84b8efa343
1 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
View File

@@ -16,6 +16,43 @@ Note that by default any user can invite guests in Azure AD, so, If a dynamic gr
Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`**
### Dynamic Groups Enumeration
Get the rules of a dynamic group:
With **Azure CLI**:
```bash
az ad group list \
--filter "groupTypes/any(c:c eq 'DynamicMembership')" \
--query "[].{displayName:displayName, rule:membershipRule}" \
-o table
```
With **PowerShell** and **Microsoft Graph SDK**:
```bash
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes "Group.Read.All"
Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
-Property Id, DisplayName, GroupTypes
# Get the rules of a specific group
$g = Get-MgGroup -Filter "displayName eq '<GROUP NAME>'" `
-Property DisplayName, GroupTypes, MembershipRule, MembershipRuleProcessingState
$g | Select-Object DisplayName, GroupTypes, MembershipRule
# Get the rules of all dynamic groups
Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
-Property DisplayName, MembershipRule |
Select-Object DisplayName, MembershipRule
```
### Example
- **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")`
@@ -43,6 +80,7 @@ az rest --method GET \
--query "otherMails"
```
## References
- [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/)