🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZMemberOf

AZMemberOf

The source principal is a member of the target Entra ID security group, inheriting all privileges assigned to that group.

Applies to: User / ServicePrincipal / Device β†’ AZGroup

Linux Abuse

Enumerate group memberships

az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>
az ad user get-member-objects --id <target-user-id> --security-enabled-only false

# All groups the user belongs to
az ad user member-of --id <target-user-upn>

Graph API β€” enumerate transitive memberships

TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

curl -s "https://graph.microsoft.com/v1.0/users/<target-user-id>/transitiveMemberOf" \
  -H "Authorization: Bearer $TOKEN" | jq '.value[] | {displayName, id, "@odata.type"}'

Enumerate group's assigned roles and permissions

# What Entra ID roles does the group have?
curl -s "https://graph.microsoft.com/v1.0/groups/<target-group-id>/memberOf/microsoft.graph.directoryRole" \
  -H "Authorization: Bearer $TOKEN" | jq '.value[] | .displayName'

# What Azure RBAC roles does the group have?
az role assignment list --assignee <target-group-id> --all

Windows Abuse

Microsoft.Graph PowerShell β€” enumerate memberships

Connect-MgGraph -AccessToken <access-token>

# Direct memberships
Get-MgUserMemberOf -UserId <target-user-id> | Select-Object DisplayName, Id

# Transitive (nested groups)
Get-MgUserTransitiveMemberOf -UserId <target-user-id> | Select-Object DisplayName, Id

# SP memberships
Get-MgServicePrincipalMemberOf -ServicePrincipalId <object-id> | Select-Object DisplayName, Id

Az PowerShell β€” check group's Azure RBAC roles

Connect-AzAccount -AccessToken <access-token> -AccountId <username>
Get-AzRoleAssignment -ObjectId <target-group-id>

Opsec

  • This edge indicates inherited access β€” no action needed against the edge itself.
  • Abuse the privileges the group grants (RBAC roles, Entra ID roles, app role assignments).
  • Check nested group membership β€” a user in Group A may get Group B's privileges if A is nested in B.
  • Use transitiveMemberOf to catch indirect role inheritance through nested groups.