Module Overview
GhostSP is an advanced automation utility for Azure Active Directory that programmatically creates and manages "shadow" Service Principals (SPs). It generates new SPs with names and permission sets mimicking legitimate DevOps accounts, automates their lifecycle, and provides interfaces for stealthy persistence.
Automation
Automates SP creation, credential rotation, and CI/CD pipeline injection
Stealth
Mimics legitimate accounts to evade detection
Interfaces
Provides CLI and REST interfaces for management
Advanced Red Team Tactics
Egress Filter Bypass
GhostSP can tunnel traffic through legitimate Azure services to bypass network egress filters.
AV Evasion
Uses Azure-native APIs and PowerShell remoting to avoid traditional AV detection vectors.
Privilege Escalation
Exploits Azure RBAC misconfigurations to escalate from Reader to Contributor/Owner.