Documentation Index
Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
Use this file to discover all available pages before exploring further.
Any principal that can obtain a token from the FIC’s trusted issuer matching its subject claim can authenticate as the App Registration, which in turn runs as its associated Service Principal via the AZRunsAs relationship.
Abuse Info
No additional abuse is necessary to traverse this edge. The abuse primitive is captured on the edge leading to this FIC. Once a token has been obtained from the FIC’s trusted issuer, it can be exchanged at the Microsoft identity platform token endpoint for an access token authenticating as the target App Registration.
From there, follow the AZRunsAs edge to understand what Service Principal context, and associated permissions, the attacker gains.
Opsec Considerations
No opsec considerations apply to this edge.
References
Understanding Federated Identity Credentials: Simplifying Secure Access
