Save 37% off PRO during our Black Friday Sale! »

Blue Cloud of Death: Red Teaming Azure - SaintCon

18ad4afa3f7c77bd84c3300505468aa0?s=47 TweekFawkes
September 25, 2018

Blue Cloud of Death: Red Teaming Azure - SaintCon

SaintCon Presentation on Sept. 25th 2018

On-demand IT services are being publicized as the new normal, but often times these services are misunderstood and hence misconfigured by engineers which can frequently enable red teams to gain, expand, and persist access within Azure environments. In this talk we will dive into how Azure services are commonly breached (e.g. discovering insecure blob storage), and then show how attackers are pivoting between the data & control planes (e.g. mounting hard disks, swapping keys, etc...) to expand access. Finally we will demonstrate some unique techniques for persisting access within Azure environments for prolonged periods of time.

Bryce Kunz (@TweekFawkes) loves researching and red teaming bleeding edge IT services. Bryce is currently the Chief Hacker & President at Stage2Sec.com where he released various open source tools (e.g. soMeta, lolrusLove, yupPhrasing, etc…) and has contributed several modules to open source projects (e.g. empire). Previously, Bryce has supported the NSA (network exploitation & vulnerability research), Adobe (built red teaming program for cloud services), and DHS (incident response). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...), and has spoken at various security conferences (i.e. BlackHat, DerbyCon, BSidesLV, etc...).

https://saintcon2018.sched.com/event/FwU5/blue-cloud-of-death-red-teaming-azure

18ad4afa3f7c77bd84c3300505468aa0?s=128

TweekFawkes

September 25, 2018
Tweet

Transcript

  1. Stage 2 Security Version 1.0 Copyright 2018 by Stage 2

    Security Blue Cloud of Death Red Teaming Azure
  2. Copyright 2018 by Stage 2 Security Stage 2 Security Agenda

    Bryce Kunz @TweekFawkes - Who Am I? - Azure Overview - Initial Access - Storage Access - Endpoint Access - Expanding Access - Persisting Access
  3. Copyright 2018 by Stage 2 Security Stage 2 Security Past

    WhoAmI Defense DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX)
  4. Copyright 2018 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present Now Hiring Hunters & Splunkers!
  5. Copyright 2018 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present
  6. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Overview
  7. Copyright 2018 by Stage 2 Security Stage 2 Security Layer

    Separation Control Plane (APIs) Data Plane Management UI
  8. Copyright 2018 by Stage 2 Security Stage 2 Security Administration

    Control Plane (APIs) Data Plane Management UI Cloud Admin (Dave)
  9. Copyright 2018 by Stage 2 Security Stage 2 Security Automation

    Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom
  10. Copyright 2018 by Stage 2 Security Stage 2 Security Infrastructure

    Setup Control Plane (APIs) Management UI Cloud Admin
  11. Copyright 2018 by Stage 2 Security Stage 2 Security Application

    Control Plane (APIs) Management UI Cloud Admin
  12. Copyright 2018 by Stage 2 Security Stage 2 Security Application

    Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB
  13. Copyright 2018 by Stage 2 Security Stage 2 Security Cloud-Aware

    Application Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB
  14. Copyright 2018 by Stage 2 Security Stage 2 Security Open

    for Business Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB USERS
  15. Copyright 2018 by Stage 2 Security Stage 2 Security Man

    -> Machine
  16. Copyright 2018 by Stage 2 Security Stage 2 Security Full

    Adoption https://aws.amazon.com/serverless/
  17. Copyright 2018 by Stage 2 Security Stage 2 Security Dooms

    Day ...
  18. Copyright 2018 by Stage 2 Security Stage 2 Security DevOp-ocalypse

  19. Copyright 2018 by Stage 2 Security Stage 2 Security Why

    On-Demand IT (aka Cloud) Matters? • Hybrid cloud adoption grew 3X in the last year, increasing from 19% to 57% of organizations surveyed. • In 10 months, 80% of all IT budgets will be committed to cloud solutions. • 3. 49% of businesses are delaying cloud deployment due to a cybersecurity skills gap
  20. Copyright 2018 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...
  21. Copyright 2018 by Stage 2 Security Stage 2 Security DevOp-ocalypse

  22. Copyright 2018 by Stage 2 Security Stage 2 Security Cloud

    Adoption Take images from ESXi -> Turn into Provider Images -> Deploy Instances - Virtual Machines + Network Services Develop or re-architect entire application to use exclusively managed offerings. - Managed Compute, Database, Auth, API, DNS, Queues, +++ Lots of grey area….
  23. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Overview
  24. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Service Management (ASM) "Azure Classic" -> https://Manage.WindowsAzure.com
  25. Copyright 2018 by Stage 2 Security Stage 2 Security ASM

    - Roles "Azure Classic" -> https://Manage.WindowsAzure.com Roles: • Account Administrator (Billing) -> 1 per subscription • Service Administrator (Super Admin) -> 1 per subscription (can be same) • Co-Administrator (Admin) -> per subscription
  26. Copyright 2018 by Stage 2 Security Stage 2 Security ASM

    - Auth. "Azure Classic" -> https://Manage.WindowsAzure.com Auth: • Username & Password • X.509 Certificate ("Management Certificates") ◦ file names: *.cer -> public, *.pfx -> private
  27. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Resource Manager (ARM) https://Portal.Azure.com Introduced in 2014 No more “Cloud Services”
  28. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Resource Group https://Portal.Azure.com A resource group is a container for resources that share a common lifecycle.
  29. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Roles https://Portal.Azure.com Roles: • Owner (Super Admin) • Contributor (Admin but can not change permissions) • User Access Admin (Admin but can only change permissions) • Reader (Read-Only)
  30. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Service Principals https://Portal.Azure.com Service Principals (a.k.a. Service Accounts): • Can have a Password ◦ (aka "Client Secret") • or Certificates for Authentication ◦ (but different from ASM management certs)
  31. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    ...
  32. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Types: • Blobs • etc...
  33. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Blobs Endpoints: https://myaccount.blob.core.windows.net/mycontainer/myblob e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt
  34. Copyright 2018 by Stage 2 Security Stage 2 Security DNS

    Brute Force e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 - Only contains lowercase letters and numbers. - Name must be between 3 and 24 characters.
  35. Copyright 2018 by Stage 2 Security Stage 2 Security GoBuster

    - DNS e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt gobuster -m dns -u "blob.core.windows.net" -i -t 100 -fw -w /root/blobdns/3_chars.txt
  36. Copyright 2018 by Stage 2 Security Stage 2 Security DNS

    Brute Force - Only contains lowercase letters and numbers. - Name must be between 3 and 24 characters.
  37. Copyright 2018 by Stage 2 Security Stage 2 Security GoBuster

    - DIR e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt gobuster -m dir -u “https://bcodstoragetest005.blob.core.windows.net” -i -t 100 -e -s 200,204 -w quickdir.txt
  38. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Blob Names e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt
  39. Copyright 2018 by Stage 2 Security Stage 2 Security Brute

    Force Possible but kind of sucks to brute force or guess three separate variables/parameters in the URL. e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt
  40. Copyright 2018 by Stage 2 Security Stage 2 Security NimbusLand

    Check if an IP address is Azure or AWS
  41. Copyright 2018 by Stage 2 Security Stage 2 Security Takeovers

    ...
  42. Copyright 2018 by Stage 2 Security Stage 2 Security Takeovers

    Service Vulnerable Selector AWS S3 Yes The specified bucket does not exist AWS Cloudfront Yes Bad Request: ERROR: The request could not be satisfied Github Yes There isn't a Github Pages site here. Azure Web Apps Yes* *.azurewebsites.net Azure Cloud Services Yes *.cloudapp.net Azure Traffic Manager Yes *.trafficmanager.net Azure Blob Storage Yes *.blob.core.windows.net
  43. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Access #025
  44. Copyright 2018 by Stage 2 Security Stage 2 Security Visual

    Studio • “web.config” - ASP.NET • “app.config” - C#.NET • SAS URI • Connection String • Account Name & Key
  45. Copyright 2018 by Stage 2 Security Stage 2 Security GitHub

    Google Dork: • site:github.com web.config "StorageConnectionString" "DefaultEndpointsProtocol"
  46. Copyright 2018 by Stage 2 Security Stage 2 Security *.publishsettings

    & Get-AzurePublishSettingsFile A "publish settings file" is an XML file with a .publishsettings file name extension. The file contains an encoded certificate that provides management credentials for your Azure subscriptions.
  47. Copyright 2018 by Stage 2 Security Stage 2 Security Other

    Interesting Files • *.azure-storage.common.js ◦ commonly has SAS tokens • *.cspkg ◦ commonly has creds
  48. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer “Install Azure Storage Explorer”
  49. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer • SAS URI • Connection String • Account Name & Key
  50. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer • Download Files! • Modify Files!
  51. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    *disks* • vhds!
  52. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    Download vhds • Code Review • Secrets on Disk Linux - grep for “shadow” hashes
  53. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    Download vhds • Code Review • Secrets on Disk Linux - grep for “shadow” hashes
  54. Copyright 2018 by Stage 2 Security Stage 2 Security Managed

    Disks 2017 Azure Feature • By Default… • No VHDs in blob storage containers!
  55. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Persistence ...
  56. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer Create SAS! • Another way to access the resource
  57. Copyright 2018 by Stage 2 Security Stage 2 Security Demo:

    SAS Offline Minting!
  58. Copyright 2018 by Stage 2 Security Stage 2 Security SAS

    Token Offline MintyOffline Append the Following: • Storage Account Name • Permissions, Protocol • Service, Resource Type • Start Time, Expire Time • & API Version HMAC to creation token using: • Key -> Storage Key • Msg -> Appended String • SHA256 Formatting of the Data (e.g. Encode)
  59. Copyright 2018 by Stage 2 Security Stage 2 Security CLI

    Endpoint Access Azure
  60. Copyright 2018 by Stage 2 Security Stage 2 Security Browser

    Cookie
  61. Copyright 2018 by Stage 2 Security Stage 2 Security Steal

    Cookie! “Install Azure CLI 2.0 on Windows”
  62. Copyright 2018 by Stage 2 Security Stage 2 Security Setup

    CLI “Install Azure CLI 2.0 on Windows”
  63. Copyright 2018 by Stage 2 Security Stage 2 Security Cli

    Auth. “Install Azure CLI 2.0 on Windows”
  64. Copyright 2018 by Stage 2 Security Stage 2 Security Cli

    Auth. “Install Azure CLI 2.0 on Windows”
  65. Copyright 2018 by Stage 2 Security Stage 2 Security Auth.

    Token “.azure” folder “azureProfile.json”
  66. Steal Token “.azure” folder “azureProfile.json”

  67. Copyright 2018 by Stage 2 Security Stage 2 Security Saved

    CLI Creds Save ARM Profile Tokens... • "Save-AzureRmProfile" • "Select-AzureRmProfile" Check User’s Documents Folder for JSON files…. Creates a JSON file… • "ManagementPortalUrl" • "PublishSettingsFileUrl" • "TokenCache" • "Tenant"
  68. Copyright 2018 by Stage 2 Security Stage 2 Security Whoami

    “az account show”
  69. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    ...
  70. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service
  71. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service -> Service Certificates Service certificates are attached to cloud services and enable secure communication to and from the service. For example, if you deployed a web role, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint. Service certificates, defined in your service definition, are automatically deployed to the virtual machine that is running an instance of your role.
  72. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service -> RDP -> Mimikatz -> pfx
  73. Copyright 2018 by Stage 2 Security Stage 2 Security Expand

    Access ...
  74. Copyright 2018 by Stage 2 Security Stage 2 Security Data

    -> Control Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker
  75. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Metadata Metadata Service: 169.254.169.254 • curl http://169.254.169.254/metadata/v1/maintenance • curl http://169.254.169.254/metadata/v1/InstanceInfo (these are mostly useless for hackers…) but useful information is copied into the … /var/lib/waagent directory when the instance is created… (root access needed) • IP address, hostname, subscription ID, resource group name, etc…
  76. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Metadata w/ HTTP Header Azure Metadata Service Now has an HTTP Header that enables more information curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
  77. Copyright 2018 by Stage 2 Security Stage 2 Security Control

    -> Data Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker
  78. Copyright 2018 by Stage 2 Security Stage 2 Security Capture

    Image
  79. Copyright 2018 by Stage 2 Security Stage 2 Security Hard

    Boot Horrible OPSEC but it works… - Power off a server - Mount the server’s hard drive using another VM - Modify the server for remote access (e.g. add an SSH key to root user) - Power back on the server & PROFIT! Google: “Reset local Windows password for Azure VM offline”
  80. Copyright 2018 by Stage 2 Security Stage 2 Security Reset

    Windows • RDP Password Reset Linux • SSH Key Reset • Create User
  81. Copyright 2018 by Stage 2 Security Stage 2 Security Execute

    Scripts Linux • VM Extension - CustomScript
  82. Copyright 2018 by Stage 2 Security Stage 2 Security Persistence

    Azure
  83. Copyright 2018 by Stage 2 Security Stage 2 Security Data

    -> Control Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker
  84. Copyright 2018 by Stage 2 Security Stage 2 Security Service

    Principals (the recommended approach) Permissions-Restricted Accounts “az login --service-principal” … …not tied to any particular user… …have permissions on them assigned through pre-defined roles. Multiple Passwords!
  85. Copyright 2018 by Stage 2 Security Stage 2 Security Agents

    Cloud Control Data Portal LBs Apps VMs Storage Admin
  86. Copyright 2018 by Stage 2 Security Stage 2 Security Documentation?

    Where we're going, we don't need docs!
  87. Copyright 2018 by Stage 2 Security Stage 2 Security Start

    Digging • ps auxfww • file • • python source code review Listening Services • netstat -nltpu Active Connections • netstat -natpu
  88. Copyright 2018 by Stage 2 Security Stage 2 Security Python

    Debugger • pdb b: set a breakpoint c: continue debugging until you hit a breakpoint s: step through the code n: to go to next line of code l: list source code for the current file (default: 11 lines including the line being executed) u: navigate up a stack frame d: navigate down a stack frame p: to print the value of an expression in the current context
  89. Copyright 2018 by Stage 2 Security Stage 2 Security SysDig

    sysdig -w 005.scap systemctl start walinuxagent.service /usr/bin/python3 -u /usr/sbin/waagent -daemon sysdig -r 005.scap … • -c topfiles_bytes • -c topprocs_net • -c echo_fds • -c fdbytes_by fd.directory "fd.type=file“ • -c fdbytes_by fd.filename "fd.directory=/var/lib/waagent“ …
  90. Copyright 2018 by Stage 2 Security Stage 2 Security SysDig

    sysdig -w 005.scap systemctl start walinuxagent.service /usr/bin/python3 -u /usr/sbin/waagent -daemon sysdig -r 005.scap … • -c topfiles_bytes • -c topprocs_net • -c echo_fds • -c fdbytes_by fd.directory "fd.type=file“ • -c fdbytes_by fd.filename "fd.directory=/var/lib/waagent“ …
  91. Copyright 2018 by Stage 2 Security Stage 2 Security TCPDump

    ip.addr == 168.63.129.16
  92. Copyright 2018 by Stage 2 Security Stage 2 Security Agents

    Cloud Control http://168.63.129.16 Data Portal LBs Apps VMs Storage Admin Agent
  93. Copyright 2018 by Stage 2 Security Stage 2 Security Tasks

    Control http://168.63.129.16 GET /machine/?comp=goalstate --- <Incarnation>2</Incarnation>… VMs Agent Periodically pulls HTTP API for taskings • http://168.63.129.16 • (local azure fabric address) <Incarnation>2</Incarnation> • Signals agent for additional tasks
  94. Copyright 2018 by Stage 2 Security Stage 2 Security Host

    Configs Control http://168.63.129.16 GET /machine/ … type= hostingEnvironmentConfig --- rd_fabric_stable_dhf5.150807-2320.R untimePackage_1.0.0.14.zip VMs Agent Pulls hostingEnvironmentConfig
  95. Copyright 2018 by Stage 2 Security Stage 2 Security Certs

    Control http://168.63.129.16 GET /machine/ … comp=certificates --- pfx VMs Agent Pulls certificates
  96. Copyright 2018 by Stage 2 Security Stage 2 Security Extension

    configs Control http://168.63.129.16 GET /machine/ … type=extensionsConfig --- Command to Run VMs Agent Pulls Extension Configuration • In this case, the command to run
  97. Copyright 2018 by Stage 2 Security Stage 2 Security Creds

    in Repo Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker
  98. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    -> Certs Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker
  99. Copyright 2018 by Stage 2 Security Stage 2 Security Subscription

    Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker
  100. Copyright 2018 by Stage 2 Security Stage 2 Security Custom

    Script Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker
  101. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  102. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  103. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  104. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  105. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  106. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  107. Copyright 2018 by Stage 2 Security Stage 2 Security Demo:

    C2 via waagent Redirection
  108. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  109. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection
  110. Copyright 2018 by Stage 2 Security Stage 2 Security Training

    Oct. Chicago Dec. London
  111. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation #003
  112. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Methodology Astute Exploitation is the art of leveraging the configuration and features of the target to achieve one's goals, rather than specific exploits for services (e.g. buffer overflows). • Prepare • Exploit • Prosper Features tend to have a long and prevalent useful life, while exploits for specific vulnerabilities tend to only work until they are patched out of target environments. Large tech companies have frequently said: "It's not a bug, it's a feature!", which in my opinion roughly translates to: "Attackers! Use this Technique! We have no plans to stop it!" :)
  113. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Prepare • Prepare ◦ Plan - Goals & Strategy ◦ Discover - Passive / OOB Techniques ◦ Recon - Active Techniques
  114. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Exploit • Exploit ◦ Develop - Test, Test, & Test Again! ◦ Exploit - All of the glory! (& then BSOD! :P ) ◦ Interact - C2 within the Network!
  115. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Prosper • Prosper ◦ Priv Esc - Get Free ◦ Persist - Stay In ◦ Pivot - Expand Access
  116. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Traditional Example Stage 2 Security
  117. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Plan Astute Exploitation - Traditional Example • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Target
  118. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Web App Target Discover Astute Exploitation - Traditional Example
  119. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Scan Recon Astute Exploitation - Traditional Example Target
  120. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App R&D Test! Develop Astute Exploitation - Traditional Example Target
  121. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Web App Exploit Exploit Astute Exploitation - Traditional Example Target
  122. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Reverse Shell Interact Astute Exploitation - Traditional Example Target
  123. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Web App Reverse Shell Implant (Optionally) Priv. Esc. & Persist Astute Exploitation - Traditional Example Priv. Esc. Target
  124. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Domain Controller, Salt Master, etc... Target Pivot Pivot Pivot Astute Exploitation - Traditional Example
  125. Copyright 2018 by Stage 2 Security Stage 2 Security Traditional

    Example Astute Exploitation • Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet OSINT Web App Domain Controller, Salt Master, etc... Target Pivot Pivot R&D Test! Scan Exploit Reverse Shell Priv. Esc. Implant Implant
  126. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Cloud Example Stage 2 Security
  127. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Plan Astute Exploitation - Cloud Example Target
  128. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Discover Astute Exploitation - Cloud Example Serverless App Target
  129. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Serverless App Scan Recon Astute Exploitation - Cloud Example Target
  130. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet R&D Test! Develop Astute Exploitation - Cloud Example Serverless App Target
  131. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Exploit Astute Exploitation - Cloud Example Serverless App Exploit Target
  132. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Reverse Shell Interact Astute Exploitation - Cloud Example Serverless App Target
  133. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Reverse Shell Priv. Esc. Implant (Optionally) Priv. Esc. & Persist Astute Exploitation - Cloud Example Target Serverless App
  134. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Control Plane Target Data to Control Control to Data R&D Test! Reverse Shell Pivot Astute Exploitation - Cloud Example Serverless App
  135. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Cloud Example Astute Exploitation • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Control Plane Target Data to Control Control to Data R&D Test! Scan Reverse Shell Priv. Esc. Implant Serverless App Exploit Implant
  136. Copyright 2018 by Stage 2 Security Stage 2 Security Thank

    you! Contact Info: Bryce Kunz: bryce@stage2sec.com