Skip to content

UC ‐ Abusing Hidden Dangerous Roles in Entra ID

Jump to bottom
Arpan Sarkar edited this page Apr 14, 2024 · 2 revisions

Goal

Execute reconnaissance & escalate privileges in Entra ID using hidden privileged roles

Information

"Partner Tier2 Support" is a hidden role in Entra ID. According to Microsoft it is "deprecated" and "will be removed from Microsoft Entra ID in the future". However, as of this writing the role still remains available and is very much assignable to an identity.

What's the fuss? It's hidden on the Microsoft Entra ID portal, making the role harder to assign and even harder to audit for administrators. How can you look for something you don't know exists?

The SpectreOps blog referenced below is the original work identifying this issue and provides great details on it. So if you are interested in learning more about the issue it is highly recommended you check out the blog.

Partner Tier2 Support is also a highly privileged role and grants a lot of powerful permissions in the environment including ability to escalate itself or anyone to Global Admin.

Attack

An adversary with permissions to recon and assign this role in the environment can abuse its permissions or escalate privileges to Global Admin to perform further damage.

Alternatively, adversaries may attempt to identify other identities in environment with these hidden roles and target them.

Tactics Initial Access, Discovery, Privilege Escalation
Techniques T1078, T1069, T1098

Attack Execution

Recon the hidden role information and then attempt to assign the role to a user.

Role Recon

Using Halberd's Role Recon dashboard users can easily look for information even on such hidden roles.

  1. Establish access using any Halberd Access modules
  2. Navigate to Recon page
  3. Select Roles recon dashboard
  4. Enter "Partner Tier2 Support" in the search and press RECON
  5. Review collected info on page

Role Assignment

Using Halberd's Entra ID role assignment technique users can attempt privilege escalation in environment.

  1. Establish Access using Halberd Access modules (Not required if done previously)
  2. Navigate to Attack > Entra ID
  3. Select Privilege Escalation from Tactics dropdown
  4. Select technique : "Assign Directory Role to User"
  5. Enter user to assign role to
  6. Enter "Partner Tier2 Support" for role
  7. Press EXECUTE TECHNIQUE
  8. Checkout technique result in Response section

Initial Role Recon

Initial Role Recon

Role Assignment Attempt

Assigning Hidden Role

Role Assignment Confirmation

Confirming Role Assignment

References

Halberd Wiki

Clone this wiki locally