📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • What Is OAuth 2.0
  • Attack
  • How to steal 0Auth 2 Tokens:
  • Detect
  • Detection - Audit Logs
  • Detection Sign-In logs
  • Mitigate
  • Don't allow users to consent without Admin approval.
  • Block users from adding gallery apps to My Apps.
  • Allow users to consent to apps only from verified publishers.
  • Admin Consent Settings
  • How to see what apps the user consented to:
  • Limit GraphAPI Permissoins Users Can Consent To
  1. Enterprise Architecture
  2. The Cloud
  3. Azure
  4. Attacking Azure
  5. Initial Access

OAuth 2.0 Abuse

PreviousPassword Spraying OWANextDevice code authentication abuse

Last updated 1 year ago

What Is OAuth 2.0

OAuth 2.0 allows third-party application to access services via access token without disclosing credentials.

is an authorization framework that enables applications — such as Facebook, GitHub, and DigitalOcean — to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts a user account and authorizing third-party applications to access that user account. OAuth 2 provides authorization flows for web and desktop applications, as well as mobile devices.

Attack

Attackers can create malicious OAuth phishing and app impersonations to trick account owners into giving them access to their accounts via stealing their access token.

Powerful advantages:

  • Can bypass MFA.

  • Even if password is reset, access token is still valid.

How to steal 0Auth 2 Tokens:

  1. Start webserver by running 'app.py'. This will start a Flask based web server. (Securing the server is up to you. Recommend putting behind a HTTPS redirector if open to the internet)

  2. Have a user open the configured link to sign-in to the portal

  3. An access and refresh token will be returned and written to a pickle file. Currently, only one set of tokens can be stored per user.

  4. Once tokens have been collected, run 'mainAPI.py' and choose the action you wish to take

Link given to victim for fake sign-in page.

  • Identifies client_Id

  • Redirect URL to malicious website

  • Permissions application wants access to.

Page the user sees when they click the link.

What the victim sees after they click accept.

Successful token theft.

Once the token is granted to us, we can pass it into GraphAPI and leverage it however we want.

Detect

Gather hunting information from the malicious link that the user clicked.

  • Client_ID - Identifies client_Id (can be in attacker's tenant or YOUR tenant)

  • Redirect_URL - Redirect URL to malicious website

  • Scope - API permissions application wants access to.

    • User.Read - Allows app to read user information and basic company info.

    • User.ReadWrite - Allows app to read and update user profile information

    • User.ReadWrite.All - Read/write/update full user profile. Can create/delete/reset user passwords.

    • Mail.ReadWrite - Allows app to read and write emails

    • Files.ReadWrite - Allows app to read/write files

    • Calenders.ReadWrite - Allows app to read write calender. (TA can hunt for incident response bridge call and join).

    • User.Export.All - App can request to export user's personal data

Detection - Audit Logs

Log location:

  • Active Directory > Monitoring > Audit Logs

For every application consent, three corresponding audit log entries will be created.

  • Consent to application

  • Add app role assignment grant to user

    • Application scope the app is requesting

  • Add delegated permissions grant

Consent to application

  • Initiated by <TA>: <malicious clientID of app>

  • Target Display Name: <malicious app name>

"Add app role assignment grant to user"

  • Activity

    • Status: successful/unsuccessful

    • ObjectID - malicious app objectID/clientID

    • Target Display Name: <malicious app name>

Within "Add delegated permissions grant" you can see what permissions were granted in New Value.

  • New Value: <permissions granted to malicious app>

Detection Sign-In logs

Log location:

  • Active Directory > Monitoring > User sign-in logs (interactive)

Information Displayed:

  • IP address: <TA IP used>

  • Application: <display name of malicious app>

  • User ID: <objectID of malicious app>

  • User: <victim account name>

  • Authentication Required: <always single factor because it's logging in with access token>

    • If it's single factor, it is an indicator that this is a access token related attack.

Mitigate

Don't allow users to consent without Admin approval.

Application Administrator and Global Administrator should be required to approve applications.

  • Entra ID > Enterprise Applications > Consent and Permissions

Block users from adding gallery apps to My Apps.

If this option is set to yes, then users may add any app which supports password single-sign on to appear in My Apps, without an admin needing to pre-integrate that application. If this option is set to no, then admins must manually integrate these applications in order for users to see them on My Apps.

  • Entra ID > Enterprise Applications > User Settings

Allow users to consent to apps only from verified publishers.

  • Malicious apps can still be "verified". Verification requires a TA to have an MPN ID account and has performed the verification process and other things.

Admin Consent Settings

Microsoft Entra ID > Enterprise Applications > Consent and permissions

  • Can assign groups of Admins who can approve consent for end-users.

The more you limit the scope of the groups, the better.

How to see what apps the user consented to:

  • Entra ID > Users > [Select User] > Applications

Limit GraphAPI Permissoins Users Can Consent To

  • Limit the permissions and follow least priv on permissions that users have the ability to consent to.

OAuth 2
Malicious application requesting access to account
ERROR SET UP INCORRECTLY
Successful theft
App ID is malicious AppID
An Introduction to OAuth 2 | DigitalOcean
GitHub - Synzack/PynAuthGitHub
PynAuth
Logo
Logo