ABS2024: How Criminals Breach Your Azure Environment by Marco Schmidt & Manuel Meyer

Slide 1

Slide 1 text

How Criminals Breach your Azure Environment Marco Schmidt & Manuel Meyer

Slide 2

Slide 2 text

2 2 whoami - Manu Azure Architect @ GrabX Solutions Leading your way through the Azure Cloud Zurich, Switzerland Organizing community events manuelmeyer.net

Slide 3

Slide 3 text

3 3 whoami - Marco Security Engineer @ GrabX Solutions Working with customers to protect their cloud environments Bern, Switzerland Like to break things thesecurityguy.ch

Slide 4

Slide 4 text

4 4 Introduction •Fictional Scenario of Attack Kill Chain in the Cloud •All techniques are valid attack techniques and have been used by threat actors in the past •Scenario has been simplified to fit the session •REMEMBER: With great power comes great responsibility! 💪

Slide 5

Slide 5 text

5 5

Slide 6

Slide 6 text

6 6 Lateral Movement Privilege Escalation Defense Evasion Initial Access Reconnaissance -> Find Passwords -> User Enumeration -> Password Spray -> Conditional Access Bypass -> Abusing Dynamic Groups -> Abusing VM Contributor Role

Slide 7

Slide 7 text

7 7 Reconnaissance

Slide 8

Slide 8 text

8 8 Find Passwords How do Hackers get your Passwords? • Open Source Intelligence (OSINT) • Phishing • Darkweb • Dumpster Diving • Password Attacks • Malware • Etc.

Slide 9

Slide 9 text

9 9 Find Passwords How can you protect against this? • Use Passkeys • Entra ID Smart Lockout • M365 Defender Suite • User Awareness Training • Most important: Brain.exe

Slide 10

Slide 10 text

10 10 User Enumeration

Slide 11

Slide 11 text

11 11 User Enumeration

Slide 12

Slide 12 text

12 12 User Enumeration

Slide 13

Slide 13 text

13 13 AADInternals • First Released in 2018 by Security Researcher Dr. Nestory Syynimaa • “The ultimate Azure AD / Microsoft 365 hacking and admin toolkit” • License: Creative Commons

Slide 14

Slide 14 text

14 14 AADInternals Kill chain roles

Slide 15

Slide 15 text

Slide 16

Slide 16 text

16 16 User Enumeration How can you protect against this? • You can’t

Slide 17

Slide 17 text

17 17 Initial Access Reconnaissance Result: Enumerated existing users

Slide 18

Slide 18 text

18 18 Password Spray AzureBootCamp2024! AzureBootCamp2024! AzureBootCamp2024! Password: AzureBootCamp2024! Passw0rd123! Winter2011$ AzureBootCamp2024!

Slide 19

Slide 19 text

19 19 Password Spray • API Endpoint: https://login.microsoft.com/common/oauth/token • API Responses: • AADSTS50034 -> User doesn’t exist • AADSTS50126 -> Invalid password • AADSTS50076 or AADSTS50079 -> MFA response • AADSTS50057 -> Disabled account • AADSTS50055 -> Password expired.

Slide 20

Slide 20 text

20 20 MSOLSpray • Uses Entra ID Error Codes to find out information about accounts • Can find out if account has MFA enabled without triggering notifications • Can use FireProx to rotate source IPs and avoid detection and lockout • First released in 2020 by Penetration Tester Beau Bullock (MIT License).

Slide 21

Slide 21 text

21 21 MSOLSpray

Slide 22

Slide 22 text

22 22 Password Spray How can you protect against this? • Make users use strong Passwords • Use Passwordless Authentication.

Slide 23

Slide 23 text

23 23 Defense Evasion Initial Access Reconnaissance Result: Found password for Initial Access

Slide 24

Slide 24 text

24 24 Conditional Access Bypass

Slide 25

Slide 25 text

25 25 Conditional Access Bypass • Common Attack Vectors: • Location • Exclusion Group Abuse • Device Platform • MITM Attacks (e.g. with Evilginx) • MFA Bombing • Social Engineering • Etc.

Slide 26

Slide 26 text

26 26 Conditional Access Bypass • Common Attack Vectors: • Avoid Conditional Access completely by getting access to an excluded user! • Who is typically excluded? • BreakGlass Admins • Lazy Admins • Service Accounts • Angry Complaining Users

Slide 27

Slide 27 text

27 27 Conditional Access Bypass • Common Attack Vectors: • Location • Exclusion Group Abuse • Device Platform • MITM Attacks (e.g. with Evilginx) • MFA Bombing • Social Engineering • Etc.

Slide 28

Slide 28 text

28 28

Slide 29

Slide 29 text

29 29

Slide 30

Slide 30 text

30 30 Conditional Access Bypass How can you protect against this? • Keep exclusion list as short as possible • Create Block Rules to prevent access in unwanted scenarios • Pay attention to conditions • Use CA gap analyzer workbook

Slide 31

Slide 31 text

31 31 CA gap analyzer Prereqs: • Microsoft Entra Premium P1 • Log Analytics Workspace • Role for Azure Monitor and Entra ID

Slide 32

Slide 32 text

32 32 CA gap analyzer

Slide 33

Slide 33 text

33 33 CA gap analyzer

Slide 34

Slide 34 text

34 34

Slide 35

Slide 35 text

35 35

Slide 36

Slide 36 text

36 36

Slide 37

Slide 37 text

37 37 CA gap analyzer Preview Features: • Named Locations with no Conditional Access Coverage • Sign-ins from IPv6 addresses not assigned to a Named Location

Slide 38

Slide 38 text

38 38 Privilege Escalation Defense Evasion Initial Access Reconnaissance Result: Bypassed Conditional Access Policies

Slide 39

Slide 39 text

39 39 Demo Time

Slide 40

Slide 40 text

40 40 Entra ID Guest Accounts – Default Settings

Slide 41

Slide 41 text

41 41 <- Default <- Recommended <- Default <- Recommended <- Default <- Recommended

Slide 42

Slide 42 text

42 42 Abusing Dynamic Groups • Scenario: • Company has outsourced Azure VM Management to another company • The name of this fictional company is: VMGenius.io • All users are invited as Guest Users.

Slide 43

Slide 43 text

43 43 Abusing Dynamic Groups Group has Virtual Machine Contributor Role

Slide 44

Slide 44 text

44 44 Abusing Dynamic Groups Group has Virtual Machine Contributor Role

Slide 45

Slide 45 text

45 45 Abusing Dynamic Groups

Slide 46

Slide 46 text

46 46 Abusing Dynamic Groups How can you protect against this? • Don’t allow all users to invite guest accounts • Don’t base dynamic group membership rules on user-controlled attributes • Be aware that even non-user controlled attributes could be changed somehow (e.g. from Entra ID Cloud Sync) • Be careful when designing dynamic group membership rules.

Slide 47

Slide 47 text

47 47 Lateral Movement Privilege Escalation Defense Evasion Initial Access Reconnaissance Result: Escalation to privileged role

Slide 48

Slide 48 text

48 48 Abusing VM Contributor Role • It is a privileged Role • It can execute Scripts on VM with SYSTEM Privileges • Abusing Examples: • Extract NTLM Hashes from VMs • Install Malware on Systems • Extract Information from File Servers • Elevate Privileges from Cloud-only to onPrem • RL Example: • TA UNC3944 uses Serial Console to deploy remote management software

Slide 49

Slide 49 text

49 49 Lateral Movement Privilege Escalation Defense Evasion Initial Access Reconnaissance

Slide 50

Slide 50 text

50 50 -> Find Passwords -> User Enumeration -> Password Spray -> Conditional Access Bypass -> Abusing Dynamic Groups -> Abusing VM Contributor Role Lateral Movement Privilege Escalation Defense Evasion Initial Access Reconnaissance

Slide 51

Slide 51 text

51 51 Conclusion • Be careful when exposing information publicly • Use built-in protection features from Microsoft • Look at configurations from an attackers perspective • Keep an eye on you CA Policies and Dynamic Groups • Don’t be lazy! (at least in Cyber Security J)

Slide 52

Slide 52 text

52 52 marco@thesecurityguy.ch thesecurityguy.ch blog@manuelmeyer.net manuelmeyer.net Marco Schmidt Manuel Meyer Description Link GitHub of Beau Bullock (Azure Pentesting Tools) https://github.com/dafthack MicroBurst Toolkit for Attacking Azure https://github.com/NetSPI/MicroBurst Website of AADInternals https://aadinternals.com Hands-on Azure Pentesting Training https://cloudbreach.io/breachingazure Microsoft Penetration Testing Rules of Engagement https://www.microsoft.com/en-us/msrc/pentest-rules-of- engagement VM Contributor Role Abuse RL Example https://www.csoonline.com/article/575297/attacker-uses- the-azure-serial-console-to-gain-access-to-microsoft- vm.html Video about Passkeys from John Savill PASSKEYS - What they are, why we want them and how to use them! (youtube.com)