Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!

https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security
Outplay Your Adversary! Bryce Kunz // @TweekFawkes

https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security
Avoiding the Fall of Icarus Cloud Focused Continuous Red Teaming

Copyright 2022 by Stage 2 Security https:// .Security Bryce Kunz
@TweekFawkes - Who Am I? - Go From Zero to Cloud Admin! - SSO Tokens & Browser Cookies - Graph Database Technologies - Overview: Bridging to On-Prem - Attacking the Bridges! - One More Thing! Agenda

Copyright 2022 by Stage 2 Security https:// .Security Defense DHS
SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware
Badge by @professor__plum Friday Dec. 16th 2022! Sandy UT Conference Center at Miller Campus https://BSidesSLC.org

Copyright 2022 by Stage 2 Security https:// .Security Go From
Zero to Cloud Admin! Overview

Copyright 2022 by Stage 2 Security https:// .Security AWS Account
External Resources Typical Steps: • Exploit App • Collect Creds • Reuse Creds Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Temporary Credentials Policies Identities Global Cloud

Globally Shared Resources: • EC2 AMIs • EBS Snapshots • RDS Snapshots • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances Global Cloud Secrets

Client-Side Vectors: • RCE • Cookies • Phishing • AiTM • Supply Chain • Social Engineering • Extensions • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Policies Identities Global Cloud Admin

Copyright 2022 by Stage 2 Security https:// .Security SSO Tokens
& Browser Cookies Overview

Copyright 2022 by Stage 2 Security https:// .Security Overview Methods
Include: • Malicious Browser Extension • Adversary-in-the-Middle (AiTM) Other Common Methods Include: • Malicious Documents (e.g. Ofﬁce Macros) • Malicious Applications

Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser
Extensions

Copyright 2022 by Stage 2 Security https:// .Security Kevin L.
Shout Out! …

Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser
Extension Users Evil Server SSO / App TLS Browser

Copyright 2022 by Stage 2 Security https:// .Security CursedChrome Red
Team Toolkit Options https://github.com/mandatoryprogrammer/CursedChrome

Copyright 2022 by Stage 2 Security https:// .Security Defense: Enterprise
Policies (e.g. Chrome) Users Evil Server SSO / App TLS Browser https://github.com/mandatoryprogrammer/ChromeGalvanizer

Copyright 2022 by Stage 2 Security https:// .Security Brad H.
Shout Out! …

Copyright 2022 by Stage 2 Security https:// .Security Adversary-in-the-Middle (AiTM)
Users Evil Proxy SSO / App TLS TLS Browser

Copyright 2022 by Stage 2 Security https:// .Security Phishing +
AiTM Evil Proxy SSO / App TLS TLS Browser Users Email

Copyright 2022 by Stage 2 Security https:// .Security Browser Access
Evil Proxy SSO / App TLS TLS Browser Users Email Browser TLS

Copyright 2022 by Stage 2 Security https:// .Security SaaS &
Cloud Access Evil Proxy SSO / App TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS

Copyright 2022 by Stage 2 Security https:// .Security EDRs: 2022
-> Largely Ignore Browser Sessions! Evil Proxy SSO / App TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS EDR EDR Cloud

Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2
https://github.com/kgretzky/evilginx2 https://github.com/drk1wi/Modlishka https://github.com/muraenateam/muraena https://github.com/ustayready/CredSniper Phishing GoPhish https://github.com/gophish/gophish https://github.com/pentestgeek/phishing-frenzy https://github.com/rsmusllp/king-phisher Red Team Toolkit Options

Phishing GoPhish Red Team Toolkit Options = EvilGoPhish https://github.com/ﬁn3ss3g0d/evilgophish +

Copyright 2022 by Stage 2 Security https:// .Security Defense: Incorrect
FQDN Okta-Test.com Okta.com TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS EDR EDR Cloud

Copyright 2022 by Stage 2 Security https:// .Security Defense: FIDO2
(Hardware/YubiKey) + WebAuthn Okta-Test.com Okta.com TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS EDR EDR Cloud

Copyright 2022 by Stage 2 Security https:// .Security Graph Database
Technologies Overview

Copyright 2022 by Stage 2 Security https:// .Security Paul W.
& Michael B. Shout Out! …

Copyright 2022 by Stage 2 Security https:// .Security Why Graph
DBs?

Copyright 2022 by Stage 2 Security https:// .Security … Quickly
Find Priv Esc Paths

Copyright 2022 by Stage 2 Security https:// .Security … 1.
Set The Goal

Generate Inbound Paths

Analyze the Paths for Access Vectors

Copyright 2022 by Stage 2 Security https:// .Security But How
Are All Those Lines Useful?

Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets

Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets Blocked! Requires… Action rds:Describe*

Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & IAM Roles

Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users, IAM Roles, & AWS Services Relational Database Service (RDS) DB Cluster Secrets

Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets

Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets Blocked! Requires… Action s3:Get*

IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Identity and Access Management (IAM)

Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro

Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Blocked! Requires… Action iam:PassRole*

Copyright 2022 by Stage 2 Security https:// .Security Create a
Policy Allowing Pass Role Instances

Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro New Policy pass-ec2-s3-ro

Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia S3 Bucket Policies & S3 ACLs S3 AWS EC2 Instances App Objects Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs S3 Bucket

Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 S3 Bucket Policies S3 ACLs

Copyright 2022 by Stage 2 Security https:// .Security S3 AWS
Account Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs

Copyright 2022 by Stage 2 Security https:// .Security Scott P.
Shout Out! …

Copyright 2022 by Stage 2 Security https:// .Security Basic Priv
Esc Example via Graph DB

Set The Goal

Generate Inbound Paths

Analyze the Paths for Access Vectors

Copyright 2022 by Stage 2 Security https:// .Security … IAM
Policy with * Permissions!

Copyright 2022 by Stage 2 Security https:// .Security … Role
w/ Trust Policy allowing EC2

Copyright 2022 by Stage 2 Security https:// .Security … Instance
Proﬁle to Role

Copyright 2022 by Stage 2 Security https:// .Security … iam:PasRole
Permissions within Policy

Copyright 2022 by Stage 2 Security https:// .Security … IAM
User with Permissions Policy

Copyright 2022 by Stage 2 Security https:// .Security … Compromise
of “privesc3-…” User… To Admin Access!

Copyright 2022 by Stage 2 Security https:// .Security Create New
EC2 Instance w/ Role Attached Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM

Copyright 2022 by Stage 2 Security https:// .Security Get Access
To EC2 Instance via Connect Back to NC Instance Role Temporary Credentials Policies Instance Profile User Data Launch Script Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

Copyright 2022 by Stage 2 Security https:// .Security C2 via
NetCat Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets C2 Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute
Cloud (EC2) Access Metadata via Curl 169.254. 169.254 Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Simple Storage Service (S3) Objects S3 Bucket Secrets C2

Cloud (EC2) Access Metadata via Curl 169.254. 169.254 To Collect Creds! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

Cloud (EC2) Conﬁgure aws cli Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

Cloud (EC2) Reuse Creds for S3 Access! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

Copyright 2022 by Stage 2 Security https:// .Security Common Priv
Esc Access Vectors

Esc Access Vectors IAM Permissions Manipulating Resources

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc…

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc…

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole PassRole Policies iam:PassRole + Processing Data

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role AWS Services Numerous… e.g. w/ a Role

Copyright 2022 by Stage 2 Security https:// .Security Lab Environments
& Tooling

• https://cloud.hacktricks.xyz/pentesting-cloud/aws-security • https://github.com/BishopFox/iam-vulnerable • https://github.com/RhinoSecurityLabs/cloudgoat • https://github.com/bridgecrewio/terragoat • https://github.com/nccgroup/sadcloud • https://hackingthe.cloud/aws/capture_the_ﬂag/cicdont • https://github.com/ine-labs/AWSGoat Vulnerable Lab Environments CloudGoat

Copyright 2022 by Stage 2 Security https:// .Security … Visualization
• https://github.com/nccgroup/PMapper • https://github.com/Azure/Stormspotter • https://github.com/duo-labs/cloudmapper • https://github.com/WithSecureLabs/awspx • https://github.com/SygniaLabs/security-cloud-scout • https://github.com/BloodHoundAD/BloodHound • https://pentestbook.six2dez.com/enumeration/cloud/azure Steps: 1. Collection 2. Processing 3. Analysis

Copyright 2022 by Stage 2 Security https:// .Security Tailored Collection
& Processing + Neo4j GraphDB Aws Cloud Capability Tool (ACCT)

Copyright 2022 by Stage 2 Security https:// .Security Overview: Bridging
to On-Prem Overview

Copyright 2022 by Stage 2 Security https:// .Security Overview: Bridging
to On-Prem Includes: • Azure AD Overview • Azure AD Joined Endpoint • Azure AD Integration w/ On-Premises Active Directory ◦ Password Hash Synchronization (PHS) ◦ Pass Through Authentication (PTA) ◦ Active Directory Federated Services (ADFS) • Attacking the Bridges

Copyright 2022 by Stage 2 Security https:// .Security Azure AD
Overview Overview

Copyright 2022 by Stage 2 Security https:// .Security Anthony H.
Shout Out! …

Overview Identity Management Platform for: • Microsoft Applications e.g. Ofﬁce 365 • Azure Resource Manager (ARM) • 3rd Party (SaaS/Cloud) Applications https:/ /docs.microsoft.com/en-gb/azure/active-directory/manage-apps/what-is-application-management

!= Active Directory Comparison... https:/ /troopers.de/downloads/troopers19/TROOPERS19_AD_Im_in_your_cloud.pdf Active Directory (Windows Server) Azure Active Directory (Azure AD) LDAP REST APIs NTLM, Kerberos OAuth, SAML, OpenID, etc. Structured Directory (OU tree) Flat Structure GPOs No GPOs Fine-Tuned Access Controls Predefined Roles Domain, Forest Tenant Trusts Guests

Management Tools - Web Portal Management tools for Azure AD: • Azure Portal - https://portal.azure.com https:/ /www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html

Management Tools - PS Management tools for Azure AD: • PowerShell Modules ◦ MSOnline, MSOnline V1 PowerShell module ▪ Install-Module -Name MSOnline ◦ AzureAD, Azure Active Directory V2 PowerShell ▪ Install-Module -Name AzureAD https:/ /www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html

Copyright 2022 by Stage 2 Security https:// .Security PowerShell -
MSOnline - Auth Load: Import-Module MSOnline Auth: Connect-MsolService (or) $creds = Get-Credential Connect-MsolService -Credential $creds https:/ /github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md

MSOnline - Commands https:/ /github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md PS Command Desc Get-MSolCompanyInformation List Company Information Get-MSolUser -All List all users Get-MSolGroup -All List all groups Get-MsolRole -RoleName "Company Administrator" Get-MSolGroupMember –GroupObjectId $GUID List members of a group (Global Admins in this case) Get-MSolUser –All | fl List all user attributes Get-MsolServicePrincipal List Service Principals

Azure AD - Auth Load: Import-Module Az Auth: Connect-AzAccount (or) $creds = Get-Credential Connect-AzAccount -Credential $creds https:/ /github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md

Azure AD - Commands https:/ /github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md PS Command Desc Get-AzContext -ListAvailable List Context Get-AzSubscription List Subscriptions Select-AzSubscription -SubscriptionID "<ID>" Select a Subscription Get-AzRoleAssignment Current user's role assignment Get-AzResourceGroup List resource groups Get-AzResource List resources Get-AzStorageAccount List storage accounts

Management Tools - CLI Management tools for Azure AD: • Azure CLI ◦ v1 - Azure Classic CLI (w/ ARM Support) ◦ v2 - Azure CLI - AAD platform (v1.0) ◦ v3? (currently beta) - Azure CLI - Microsoft Identity platform (v2.0) https:/ /www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html

Copyright 2022 by Stage 2 Security https:// .Security Azure CLI
- AAD platform (v1.0) - Auth Auth: az login https:/ /github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md

Management Tools - .NET Management tools for Azure AD: • .NET Libraries https:/ /docs.microsoft.com/en-us/dotnet/api/overview/azure/activedirectory?view=azure-dotnet

Management APIs Management technologies and techniques (APIs) for Azure AD: • APIs: ◦ Microsoft Graph ◦ Azure AD Graph ◦ Exchange Provisioning Service https:/ /www.youtube.com/watch?v=o5QDt30Pw_o

Management APIs ◦ https:/ /www.youtube.com/watch?v=o5QDt30Pw_o Azure Web Portal Azure Portal API Internal Azure AD Graph API

Management APIs Management technologies and techniques (APIs) for Azure AD: • APIs: ◦ Microsoft Graph ◦ Azure AD Graph ▪ Internal Azure AD Graph API ◦ Exchange Provisioning Service https:/ /www.youtube.com/watch?v=o5QDt30Pw_o

Licenses Different Licenses • Free. • Premium P1 (6$ user/month). • Premium P2 (9$ user/month). http:/ /www.rebeladmin.com/2016/09/azure-active-directory-edition-buy/

Copyright 2022 by Stage 2 Security https:// .Security Microsoft Identity
platform (v2.0) “AAD authentication platform (v1.0) is being deprecated.” “Microsoft Identity platform (v2.0) is the new authentication method and is used by Azure CLI beta.” Microsoft identity platform (v2.0) is an evolution of the Azure Active Directory (Azure AD) developer platform (v1.0). https:/ /docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest&tabs=azure-cli https:/ /docs.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison https:/ /docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-overview

Joined Astute Hunting

Joined Endpoint ... https:/ /jairocadena.com/2016/02/01/azure-ad-join-what-happens-behind-the-scenes/

Join (Windows 10) • User chooses to join device to Azure AD. • User authenticates and provides an MFA proof (if conﬁgured). • User accepts terms from MDM system (if applicable). • Device registers with Azure AD. • Device enrolls into MDM system and gets sign-in policy (if applicable). • User signs into Windows. • User provisions Microsoft Passport for Work. • Device encryption is enabled and BitLocker key is escrowed to Azure AD. • User enterprise settings are applied. https:/ /jairocadena.com/2016/02/01/azure-ad-join-what-happens-behind-the-scenes/

Request Tokens Azure AD connected computers store a token that can be used as a token for authentication The token is used for single sign on (SSO) for Microsoft Resources The token can be stolen and used to login as a domain user https:/ /dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/

Copyright 2022 by Stage 2 Security https:// .Security Stealing Azure
AD Request Tokens Using Voodoo, we execute a program that steals a JWT token That token is then used to login as the domain user https:/ /posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30

Copyright 2022 by Stage 2 Security https:// .Security Integration w/
on- premises Active Directory Astute Hunting

Copyright 2022 by Stage 2 Security https:// .Security Azure AD-Connect
Authentication Methods:: • Password Hash Synchronization (PHS) • Pass Through Authentication (PTA) • Active Directory Federated Services (ADFS) https:/ /docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect

Copyright 2022 by Stage 2 Security https:// .Security Password Hash
Synchronization (PHS) Password hashes of Active Directory users do not transit over the network. A hash, of each password hash, is being sent. https:/ /docs.microsoft.com/fr-fr/azure/active-directory/hybrid/reference-connect-accounts-permissions

Synchronization (PHS) Compromised Azure AD connect Sync account == Compromised AD C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf + DPAPI + AES https:/ /blog.fox-it.com/2019/06/06/syncing-yourself-to-global-administrator-in-azure-active-directory/ https:/ /www.youtube.com/watch?v=JEIR5oGCwdg https:/ /www.slideshare.net/DirkjanMollema/im-in-your-cloud-reading-everyones-email-hacking-azure-ad-via-active-directory

Copyright 2022 by Stage 2 Security https:// .Security Pass-Through Authentication
(PTA) https:/ /blogvaronis2.wpengine.com/azure-skeleton-key/

(PTA) ... https:/ /blog.xpnsec.com/azuread-connect-for-redteam/ https:/ /gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c

Copyright 2022 by Stage 2 Security https:// .Security Active Directory
Federation Services (ADFS) https:/ /docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation

Copyright 2022 by Stage 2 Security https:// .Security Ask yourself
if you still really need ADFS? https:/ /www.vansurksum.com/2019/08/05/ask-yourself-if-you-still-really-need-adfs/

Copyright 2022 by Stage 2 Security https:// .Security Attacking the
Bridges! Overview

Copyright 2022 by Stage 2 Security https:// .Security BloodHound-AzureAD Fork
of the BloodHound UI containing Azure AD features https:/ /github.com/dirkjanm/BloodHound-AzureAD

Copyright 2022 by Stage 2 Security https:// .Security Azure StormSpotter
Azure Red Team tool for enumerating Azure environments https:/ /github.com/Azure/Stormspotter

Synchronization (PHS) Password hashes of Active Directory users do not transit over the network. A hash, of each password hash, is being sent. https:/ /docs.microsoft.com/fr-fr/azure/active-directory/hybrid/reference-connect-accounts-permissions

Synchronization (PHS) Compromised Azure AD connect Sync account == Compromised AD C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf + DPAPI + AES https:/ /blog.fox-it.com/2019/06/06/syncing-yourself-to-global-administrator-in-azure-active-directory/ https:/ /www.youtube.com/watch?v=JEIR5oGCwdg https:/ /www.slideshare.net/DirkjanMollema/im-in-your-cloud-reading-everyones-email-hacking-azure-ad-via-active-directory

(PTA) https:/ /blogvaronis2.wpengine.com/azure-skeleton-key/

(PTA) ... https:/ /blog.xpnsec.com/azuread-connect-for-redteam/ https:/ /gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c

Copyright 2022 by Stage 2 Security https:// .Security Scott Piper
@0xdabbad00 Shout Out! https://tldrsec.com/blog/lesser-known-aws-attacks/

- Client - #90210 AWS Account - Attacker - #31337 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Cloud Formation Template Stack Lambda Function

Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Click
Link In Email https://us-east-1.console.aws.amazon.com/cloud formation/home?region=us-east-1#/stacks/create /review?templateURL=https://TODO_BUCKET_NAME.s 3.amazonaws.com/TODO_TEMPLATE_NAME.yml&stackNa me=TODO_STACK_NAME https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

- Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role

- Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Attacker
Needs Targets AWS Account ID# To Follow The Path Back

- Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function AWS IAM Policies Role AWS SAM

- Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Sample
Code https://github.com/TweekFawkes/SocialStackSetSmother

Copyright 2022 by Stage 2 Security https:// .Security Trainings @
BlackHat & On-Site! Thank You! [email protected] .sh @TweekFawkes

Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!

Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!

More Decks by TweekFawkes

Other Decks in Technology

Featured

Transcript