BARK: BloodHound Attack Research Kit
BloodHound Attack Research Kit
BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft’s Azure suite of products and services.
BARK requires no third-party dependencies. BARK’s functions are designed to be as simple and maintainable as possible. Most functions are very simple wrappers for making requests to various REST API endpoints. BARK’s basic functions do not even require each other – you can pull almost any BARK function out of BARK and it will work perfectly as a standalone function in your own scripts.
Token Management and Manipulation Functions
Parse-JWTTokenwill take a Base64 encoded JWT as input and parse it for you. Useful for verifying correct token audience and claims.
Get-AZRefreshTokenWithUsernamePasswordrequests a collection of tokens, including a refresh token, from login.microsoftonline.com with a user-supplied username and password. This will fail if the user has Multi-Factor Authentication requirements or is affected by a Conditional Access Policy.
Get-MSGraphTokenWithClientCredentialsrequests an MS Graph-scoped JWT with a client ID and secret. Useful for authenticating as an AzureAD service principal.
Get-MSGraphTokenWithRefreshTokenrequests an MS Graph-scoped JWT with a user-supplied refresh token.
Get-MSGraphTokenWithPortalAuthRefreshTokenrequests an MS Graph-scoped JWT with a user-supplied Azure Portal Auth Refresh token.
Get-AzureRMTokenWithClientCredentialsrequests an AzureRM-scoped JWT with a client ID and secret. Useful for authenticating as an AzureAD service principal.
Get-ARMTokenWithPortalAuthRefreshTokenrequests an AzureRM-scoped JWT with a user-supplied Azure Portal Auth Refresh token.
Get-ARMTokenWithRefreshTokenrequests an AzureRM-scoped JWT with a user-supplied refresh token.
Get-AzurePortalTokenWithRefreshTokenrequests an Azure Portal Auth Refresh token with a user-supplied refresh token.
The refresh token-based functions in BARK are based on functions in https://github.com/rvrsh3ll/TokenTactics by [https://twitter.com/424f424f](Steve Borosh)
Set-AZUserPasswordwill attempt to set the password of another user to a new user-provided value.
Reset-AZUserPasswordwill attempt to reset the password of another user. If successful, the output will contain the new, Azure-generated password of the user
New-AzureRMRoleAssignmentwill attempt to grant a user-specified AzureRM role assignment to a particular principal over a certain scope.
New-AppRegSecretwill attempt to create a new secret for an existing AzureAD app registration.
New-ServicePrincipalSecretwill attempt to create a new secret for an existing AzureAD service principal.
New-AppRoleAssignmentwill attempt to grant an app role to a service principal. For example, you can use this to grant a service principal the RoleManagement.ReadWrite.Directory app role.
Get-AzureRMRoleDefinitionscollects all role definitions described at a subscription scope, including custom roles.
Get-MGAppRolescollects the app roles made available by the MS Graph service principal.
Get-AllAzureADAppscollects all AzureAD application registration objects.
Get-AllAzureADServicePrincipalscollects all AzureAD service principal objects.
Get-AllAzureADUserscollects all AzureAD users.
Get-AllAzureADGroupscollects all AzureAD groups.
Get-AllAzureRMSubscriptionscollects all AzureRM subscriptions.
Test-AzureRMAddSelfToAzureRMRoleused in abuse validation testing to determine whether a service principal with certain rights can grant itself the User Access Admin role over a subscription.
Test-AzureRMCreateFunctionused in abuse validation testing to test if a service principal can add a new function to an existing function app.
Invoke-AllAzureRMAbuseTestsperforms all AzureRM abuse validation tests and outputs a resulting object that describes which AzureRM roles granted the ability to perform each abuse.
Remove-AbuseTestAzureRMRolesis a clean-up function for removing AzureRM admin roles created during testing.
Remove-AbuseTestServicePrincipalscleans up abuse tests by removing the serivce principals that were created during testing.
New-TestAppRegcreates an application registration object for the explicit purpose of abuse validation testing.
New-TestSPcreates a new service principal and associates it with the app created by the above function.
Test-MGAddSelfAsOwnerOfAppis used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing AzureAD app.
Test-MGAddSelfAsOwnerOfSPis used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing AzureAD service principal.
Test-MGAddSelfToAADRoleis used in abuse validation testing to determine whether a service principal with a particular privilege can add itself to an AzureAD admin role – Global Admin, for example.
Test-MGAddSelfToMGAppRoleis used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself a particular MS Graph app role without admin consent.
Test-MGAddOwnerToRoleEligibleGroupis used to test whether a service principal can grant itself explicit ownership of a role assignable group.
Test-MGAddMemberToRoleEligibleGroupis used to test whether the service principal can add itself to a role assignable group.
Test-MGAddSecretToSPis used to test whether the service principal can add a new secret to an existing service principal.
Test-MGAddSecretToAppis used to test whether the service principal can add a new secret to an existing app.
Invoke-AllAzureMGAbuseTestsperforms all abuse validation tests that can be executed by holding an MS Graph app role. Returns an object describing which privileges were successful at performing each abuse test.
Invoke-AllAzureADAbuseTestsperforms all abuse validation tests that can be executed by principals granted AzureAD admin roles. Returns an object describing which privileges were successful at performing each abuse test.
ConvertTo-Markdownis used for massaging output from the Invoke-Tests functions for usage in another platform.
Copyright (C) 2022 andyrobbins