A compromised Entra agent blueprint in one tenant can be used to authenticate as agent identities created from that blueprint in another tenant, enabling cross-tenant takeover similar to Midnight Blizzard. By adding a credential to the People Team Agents blueprint, the attacker ultimately abused the Temporary Access Agent to set a TAP on a Global Administrator account and gain full tenant access. #Entra #PeopleTeamAgents #TemporaryAccessAgent #MidnightBlizzard
Keypoints
- A third-party Entra agent blueprint can be compromised to affect every agent created from it, even across tenants.
- The post demonstrates a cross-tenant attack path similar to Midnight Blizzard.
- The attacker first compromises an Agent ID Administrator in the corporate tenant.
- Using Microsoft Graph, the attacker adds a new credential to the People Team Agents blueprint.
- The attacker discovers a subsidiary tenant by identifying a guest account and resolving its domain to a tenant ID.
- With the blueprint secret, the attacker authenticates as the blueprint principal in the subsidiary tenant and finds the Temporary Access Agent.
- The Temporary Access Agent’s permissions are abused to create a Temporary Access Pass for a Global Administrator account, bypassing password and MFA.
MITRE Techniques
- [T1098 ] Account Manipulation – The attacker adds a credential to the compromised blueprint to expand access across associated identities (‘the attacker adds a credential to the compromised blueprint’)
- [T1078 ] Valid Accounts – The attacker authenticates using the added blueprint secret and later uses the resulting access to sign in as the Temporary Access Agent and target user (‘authenticate as the blueprint principal’; ‘sign in with the “globaladmin” account’)
- [T1550 ] Use Alternate Authentication Material – The attacker uses a TAP as an alternate authentication factor to bypass password and MFA (‘This temporary credential bypasses both password and MFA’)
- [T1556 ] Modify Authentication Process – The attacker creates a Temporary Access Pass to alter the target account’s authentication method (‘allows takeover … by setting a TAP’)
- [T1190 ] Exploit Public-Facing Application – Microsoft Graph and Entra endpoints are used to interact with identity and authentication functions from outside the target tenant (‘send a POST request to the Microsoft Graph addPassword endpoint’)
- [T1136 ] Create Account – The attacker leverages the ability to create/manage agent identities associated with the blueprint (‘allows the blueprint to create and manage agents associated with it’)
Indicators of Compromise
- [Application IDs / Client IDs] used to identify the People Team Agents blueprint and agent authentication flows – 0cec06c9-146f-4c91-a4d6-c5085d95bab4, 11778f67-fffe-44ea-b745-6e59a16253d4
- [Object IDs / Service Principal IDs] referenced for the compromised agent and target user – 413b521b-b57f-42c9-97fc-9ce3cde91b1f, 00aaadc5-0abb-41d9-4bea-2aa03948536f
- [Secret / Credential] blueprint secret returned by Microsoft Graph for authenticating as the blueprint principal – NSN8[…Abbreviated…], NSN
- [Token / JWT] bearer token used to impersonate the blueprint principal and then the Temporary Access Agent – eyJ[…Blueprint Principal Token…], eyJ[…Token from First Exchange…]
- [Tenant ID] subsidiary tenant identifier recovered from OpenID configuration – [Subsidiary Tenant ID]
- [Domains / URLs] used to discover tenant and perform authentication or Graph operations – subsidiary.com, login.microsoftonline.com, graph.microsoft.com, portal.azure.com
- [File / Endpoint paths] Microsoft Graph and OAuth endpoints used in the attack chain – /beta/applications/0cec06c9-146f-4c91-a4d6-c5085d95bab4/addPassword, /beta/serviceprincipals/Microsoft.Graph.AgentIdentity?$filter=agentAppId+eq+’0cec06c9-146f-4c91-a4d6-c5085d95bab4′, /v1.0/users/00aaadc5-0abb-41d9-4bea-2aa03948536f/authentication/temporaryAccessPassMethods
- [Other credential values] Temporary Access Pass and related parameters – MGJ[…TAP Credential…], lifetimeInMinutes=480
Read more: https://securitylabs.datadoghq.com/articles/agent-id-inside-agent-compromise/