Skip to content

YAML Configuration Guide

Jump to bottom
mvelazco edited this page Jul 4, 2024 · 3 revisions

YAML Configuration Guide

Overview

BadZure uses a YAML configuration file to define the setup of an Azure AD tenant, including the number of users, groups, applications, administrative units, and attack paths. This guide will help you understand the structure and options available in the YAML configuration file.

Example Configuration

tenant:
  tenant_id: your-tenant-guid
  domain: contoso.onmicrosoft.com
  users: 5
  applications: 2
  groups: 2
  administrative_units: 2

attack_paths:
  attack_path_1:
    enabled: true
    initial_access: password 
    scenario: direct
    privilege_escalation: ServicePrincipalAbuse
    method: AzureADRole
    entra_role: random

  attack_path_2:
    enabled: true
    initial_access: token
    scenario: helpdesk
    privilege_escalation: ServicePrincipalAbuse
    method: GraphAPIPermission
    app_role: random     

  attack_path_3:
    enabled: false
    initial_access: token
    scenario: helpdesk
    privilege_escalation: ServicePrincipalAbuse
    method: GraphAPIPermission
    app_role: random

Tenant Configuration

The tenant section defines the Azure AD tenant details and the number of entities to create.

  • tenant_id: The unique identifier for your Azure AD tenant.
  • domain: The domain associated with your Azure AD tenant.
  • users: The number of user accounts to create.
  • applications: The number of application registrations to create.
  • groups: The number of groups to create.
  • administrative_units: The number of administrative units to create.

Attack Paths Configuration

The attack_paths section defines different attack paths to simulate within the tenant. Each attack path can have its own configuration.

Common Attack Path Options

  • enabled: A boolean indicating whether the attack path is enabled.

    • true: The attack path is enabled and will be configured.
    • false: The attack path is disabled and will not be configured.

  • initial_acess: The method of initial access, either password or token.

    • password: Assigns a password to the user for initial access, simulating scenarios where an attacker has obtained valid credentials.
    • token: Generates JWT access tokens for initial access, simulating scenarios where an attacker uses stolen tokens.

  • scenario: The scenario type, such as direct or helpdesk.

    • direct: Simulates direct access scenarios where the attacker gains initial access through user accounts with assigned passwords or tokens.
    • helpdesk: Simulates scenarios where the attacker gains initial access through helpdesk accounts with specific roles.

  • privilege_escalation: The method of privilege escalation, such as ServicePrincipalAbuse.

    • ServicePrincipalAbuse: Simulates privilege escalation by abusing misconfigurations in service principal roles and permissions.

  • method: The method used, such as AzureADRole or GraphAPIPermission.

    • AzureADRole: Assigns Azure AD roles to users or applications to simulate privilege escalation through role abuse.
    • GraphAPIPermission: Assigns Graph API permissions to applications to simulate privilege escalation through permission abuse.

Specific Attack Path Options

  • entra_role: Specifies the Entra role for the attack path. Set to random to assign a random role.
  • app_role: Specifies the application role for the attack path. Set to random to assign a random app role.
Clone this wiki locally