Slide 1
Slide 1 text
How Criminals Breach your
Azure Environment
Marco Schmidt & Manuel Meyer
Slide 2
Slide 2 text
2
2
whoami - Manu
Azure Architect @ GrabX Solutions
Leading your way through the Azure Cloud
Zurich, Switzerland
Organizing community events
manuelmeyer.net
Slide 3
Slide 3 text
3
3
whoami - Marco
Security Engineer @ GrabX Solutions
Working with customers to protect their cloud
environments
Bern, Switzerland
Like to break things
thesecurityguy.ch
Slide 4
Slide 4 text
4
4
Introduction
•Fictional Scenario of Attack Kill Chain in the Cloud
•All techniques are valid attack techniques and have
been used by threat actors in the past
•Scenario has been simplified to fit the session
•REMEMBER:
With great power comes great responsibility! 💪
Slide 5
Slide 5 text
5
5
Slide 6
Slide 6 text
6
6
Lateral
Movement
Privilege
Escalation
Defense Evasion
Initial Access
Reconnaissance
-> Find Passwords
-> User Enumeration
-> Password Spray
-> Conditional Access Bypass
-> Abusing Dynamic Groups
-> Abusing VM
Contributor Role
Slide 7
Slide 7 text
7
7
Reconnaissance
Slide 8
Slide 8 text
8
8
Find Passwords
How do Hackers get your Passwords?
• Open Source Intelligence (OSINT)
• Phishing
• Darkweb
• Dumpster Diving
• Password Attacks
• Malware
• Etc.
Slide 9
Slide 9 text
9
9
Find Passwords
How can you protect against this?
• Use Passkeys
• Entra ID Smart Lockout
• M365 Defender Suite
• User Awareness Training
• Most important: Brain.exe
Slide 10
Slide 10 text
10
10
User Enumeration
Slide 11
Slide 11 text
11
11
User Enumeration
Slide 12
Slide 12 text
12
12
User Enumeration
Slide 13
Slide 13 text
13
13
AADInternals
• First Released in 2018 by Security Researcher Dr. Nestory
Syynimaa
• “The ultimate Azure AD / Microsoft 365 hacking and admin
toolkit”
• License: Creative Commons
Slide 14
Slide 14 text
14
14
AADInternals
Kill chain roles
Slide 15
Slide 15 text
15
Slide 16
Slide 16 text
16
16
User Enumeration
How can you protect against this?
• You can’t
Slide 17
Slide 17 text
17
17
Initial Access
Reconnaissance
Result: Enumerated existing users
Slide 18
Slide 18 text
18
18
Password Spray
AzureBootCamp2024!
AzureBootCamp2024!
AzureBootCamp2024!
Password:
AzureBootCamp2024!
Passw0rd123!
Winter2011$
AzureBootCamp2024!
Slide 19
Slide 19 text
19
19
Password Spray
• API Endpoint:
https://login.microsoft.com/common/oauth/token
• API Responses:
• AADSTS50034 -> User doesn’t exist
• AADSTS50126 -> Invalid password
• AADSTS50076 or AADSTS50079 -> MFA response
• AADSTS50057 -> Disabled account
• AADSTS50055 -> Password expired.
Slide 20
Slide 20 text
20
20
MSOLSpray
• Uses Entra ID Error Codes to find out information about
accounts
• Can find out if account has MFA enabled without
triggering notifications
• Can use FireProx to rotate source IPs and avoid
detection and lockout
• First released in 2020 by Penetration Tester Beau
Bullock (MIT License).
Slide 21
Slide 21 text
21
21
MSOLSpray
Slide 22
Slide 22 text
22
22
Password Spray
How can you protect against this?
• Make users use strong Passwords
• Use Passwordless Authentication.
Slide 23
Slide 23 text
23
23
Defense Evasion
Initial Access
Reconnaissance
Result: Found password for Initial Access
Slide 24
Slide 24 text
24
24
Conditional Access Bypass
Slide 25
Slide 25 text
25
25
Conditional Access Bypass
• Common Attack Vectors:
• Location
• Exclusion Group Abuse
• Device Platform
• MITM Attacks (e.g. with Evilginx)
• MFA Bombing
• Social Engineering
• Etc.
Slide 26
Slide 26 text
26
26
Conditional Access Bypass
• Common Attack Vectors:
• Avoid Conditional Access completely by getting
access to an excluded user!
• Who is typically excluded?
• BreakGlass Admins
• Lazy Admins
• Service Accounts
• Angry Complaining Users
Slide 27
Slide 27 text
27
27
Conditional Access Bypass
• Common Attack Vectors:
• Location
• Exclusion Group Abuse
• Device Platform
• MITM Attacks (e.g. with Evilginx)
• MFA Bombing
• Social Engineering
• Etc.
Slide 28
Slide 28 text
28
28
Slide 29
Slide 29 text
29
29
Slide 30
Slide 30 text
30
30
Conditional Access Bypass
How can you protect against this?
• Keep exclusion list as short as possible
• Create Block Rules to prevent access
in unwanted scenarios
• Pay attention to conditions
• Use CA gap analyzer workbook
Slide 31
Slide 31 text
31
31
CA gap analyzer
Prereqs:
• Microsoft Entra Premium P1
• Log Analytics Workspace
• Role for Azure Monitor and Entra ID
Slide 32
Slide 32 text
32
32
CA gap analyzer
Slide 33
Slide 33 text
33
33
CA gap analyzer
Slide 34
Slide 34 text
34
34
Slide 35
Slide 35 text
35
35
Slide 36
Slide 36 text
36
36
Slide 37
Slide 37 text
37
37
CA gap analyzer
Preview Features:
• Named Locations with no Conditional
Access Coverage
• Sign-ins from IPv6 addresses not
assigned to a Named Location
Slide 38
Slide 38 text
38
38
Privilege
Escalation
Defense Evasion
Initial Access
Reconnaissance
Result: Bypassed Conditional Access Policies
Slide 39
Slide 39 text
39
39
Demo Time
Slide 40
Slide 40 text
40
40
Entra ID Guest Accounts – Default
Settings
Slide 41
Slide 41 text
41
41
<- Default
<- Recommended
<- Default
<- Recommended
<- Default
<- Recommended
Slide 42
Slide 42 text
42
42
Abusing Dynamic Groups
• Scenario:
• Company has outsourced Azure VM
Management to another company
• The name of this fictional company is:
VMGenius.io
• All users are invited as Guest Users.
Slide 43
Slide 43 text
43
43
Abusing Dynamic Groups
Group has Virtual Machine Contributor Role
Slide 44
Slide 44 text
44
44
Abusing Dynamic Groups
Group has Virtual Machine Contributor Role
Slide 45
Slide 45 text
45
45
Abusing Dynamic Groups
Slide 46
Slide 46 text
46
46
Abusing Dynamic Groups
How can you protect against this?
• Don’t allow all users to invite guest accounts
• Don’t base dynamic group membership rules
on user-controlled attributes
• Be aware that even non-user controlled
attributes could be changed somehow (e.g.
from Entra ID Cloud Sync)
• Be careful when designing dynamic group
membership rules.
Slide 47
Slide 47 text
47
47
Lateral
Movement
Privilege
Escalation
Defense Evasion
Initial Access
Reconnaissance
Result: Escalation to privileged role
Slide 48
Slide 48 text
48
48
Abusing VM Contributor Role
• It is a privileged Role
• It can execute Scripts on VM with SYSTEM Privileges
• Abusing Examples:
• Extract NTLM Hashes from VMs
• Install Malware on Systems
• Extract Information from File Servers
• Elevate Privileges from Cloud-only to onPrem
• RL Example:
• TA UNC3944 uses Serial Console to deploy remote
management software
Slide 49
Slide 49 text
49
49
Lateral
Movement
Privilege
Escalation
Defense Evasion
Initial Access
Reconnaissance
Slide 50
Slide 50 text
50
50
-> Find Passwords
-> User Enumeration
-> Password Spray
-> Conditional Access Bypass
-> Abusing Dynamic Groups
-> Abusing VM
Contributor Role
Lateral
Movement
Privilege
Escalation
Defense Evasion
Initial Access
Reconnaissance
Slide 51
Slide 51 text
51
51
Conclusion
• Be careful when exposing information publicly
• Use built-in protection features from Microsoft
• Look at configurations from an attackers
perspective
• Keep an eye on you CA Policies and Dynamic
Groups
• Don’t be lazy! (at least in Cyber Security J)
Slide 52
Slide 52 text
52
52
[email protected]
thesecurityguy.ch
[email protected]
manuelmeyer.net
Marco Schmidt Manuel Meyer
Description Link
GitHub of Beau Bullock (Azure Pentesting
Tools)
https://github.com/dafthack
MicroBurst Toolkit for Attacking Azure https://github.com/NetSPI/MicroBurst
Website of AADInternals https://aadinternals.com
Hands-on Azure Pentesting Training https://cloudbreach.io/breachingazure
Microsoft Penetration Testing Rules of
Engagement
https://www.microsoft.com/en-us/msrc/pentest-rules-of-
engagement
VM Contributor Role Abuse RL Example https://www.csoonline.com/article/575297/attacker-uses-
the-azure-serial-console-to-gain-access-to-microsoft-
vm.html
Video about Passkeys from John Savill PASSKEYS - What they are, why we want them and how to
use them! (youtube.com)