Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ABS2024: How Criminals Breach Your Azure Enviro...

ABS2024: How Criminals Breach Your Azure Environment by Marco Schmidt & Manuel Meyer

⭐️ How Criminals Breach your Azure Environment#
In this session we look at how malicious attackers exploit even the slightest misconfigurations in your Azure environment. We go over typical MITRE attack techniques, such as phishing, credential enumeration, brute force password spraying and verification bypass and show how they are applied to Azure.
🙂 MARCO SCHMIDT ⚡️ Security Engineer @ GrabX Solutions
🙂 MANUEL MEYER ⚡️ Azure Architect @ GrabX Solutions

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. 2 2 whoami - Manu Azure Architect @ GrabX Solutions

    Leading your way through the Azure Cloud Zurich, Switzerland Organizing community events manuelmeyer.net
  2. 3 3 whoami - Marco Security Engineer @ GrabX Solutions

    Working with customers to protect their cloud environments Bern, Switzerland Like to break things thesecurityguy.ch
  3. 4 4 Introduction •Fictional Scenario of Attack Kill Chain in

    the Cloud •All techniques are valid attack techniques and have been used by threat actors in the past •Scenario has been simplified to fit the session •REMEMBER: With great power comes great responsibility! 💪
  4. 5 5

  5. 6 6 Lateral Movement Privilege Escalation Defense Evasion Initial Access

    Reconnaissance -> Find Passwords -> User Enumeration -> Password Spray -> Conditional Access Bypass -> Abusing Dynamic Groups -> Abusing VM Contributor Role
  6. 8 8 Find Passwords How do Hackers get your Passwords?

    • Open Source Intelligence (OSINT) • Phishing • Darkweb • Dumpster Diving • Password Attacks • Malware • Etc.
  7. 9 9 Find Passwords How can you protect against this?

    • Use Passkeys • Entra ID Smart Lockout • M365 Defender Suite • User Awareness Training • Most important: Brain.exe
  8. 13 13 AADInternals • First Released in 2018 by Security

    Researcher Dr. Nestory Syynimaa • “The ultimate Azure AD / Microsoft 365 hacking and admin toolkit” • License: Creative Commons
  9. 15

  10. 19 19 Password Spray • API Endpoint: https://login.microsoft.com/common/oauth/token • API

    Responses: • AADSTS50034 -> User doesn’t exist • AADSTS50126 -> Invalid password • AADSTS50076 or AADSTS50079 -> MFA response • AADSTS50057 -> Disabled account • AADSTS50055 -> Password expired.
  11. 20 20 MSOLSpray • Uses Entra ID Error Codes to

    find out information about accounts • Can find out if account has MFA enabled without triggering notifications • Can use FireProx to rotate source IPs and avoid detection and lockout • First released in 2020 by Penetration Tester Beau Bullock (MIT License).
  12. 22 22 Password Spray How can you protect against this?

    • Make users use strong Passwords • Use Passwordless Authentication.
  13. 25 25 Conditional Access Bypass • Common Attack Vectors: •

    Location • Exclusion Group Abuse • Device Platform • MITM Attacks (e.g. with Evilginx) • MFA Bombing • Social Engineering • Etc.
  14. 26 26 Conditional Access Bypass • Common Attack Vectors: •

    Avoid Conditional Access completely by getting access to an excluded user! • Who is typically excluded? • BreakGlass Admins • Lazy Admins • Service Accounts • Angry Complaining Users
  15. 27 27 Conditional Access Bypass • Common Attack Vectors: •

    Location • Exclusion Group Abuse • Device Platform • MITM Attacks (e.g. with Evilginx) • MFA Bombing • Social Engineering • Etc.
  16. 30 30 Conditional Access Bypass How can you protect against

    this? • Keep exclusion list as short as possible • Create Block Rules to prevent access in unwanted scenarios • Pay attention to conditions • Use CA gap analyzer workbook
  17. 31 31 CA gap analyzer Prereqs: • Microsoft Entra Premium

    P1 • Log Analytics Workspace • Role for Azure Monitor and Entra ID
  18. 37 37 CA gap analyzer Preview Features: • Named Locations

    with no Conditional Access Coverage • Sign-ins from IPv6 addresses not assigned to a Named Location
  19. 42 42 Abusing Dynamic Groups • Scenario: • Company has

    outsourced Azure VM Management to another company • The name of this fictional company is: VMGenius.io • All users are invited as Guest Users.
  20. 46 46 Abusing Dynamic Groups How can you protect against

    this? • Don’t allow all users to invite guest accounts • Don’t base dynamic group membership rules on user-controlled attributes • Be aware that even non-user controlled attributes could be changed somehow (e.g. from Entra ID Cloud Sync) • Be careful when designing dynamic group membership rules.
  21. 47 47 Lateral Movement Privilege Escalation Defense Evasion Initial Access

    Reconnaissance Result: Escalation to privileged role
  22. 48 48 Abusing VM Contributor Role • It is a

    privileged Role • It can execute Scripts on VM with SYSTEM Privileges • Abusing Examples: • Extract NTLM Hashes from VMs • Install Malware on Systems • Extract Information from File Servers • Elevate Privileges from Cloud-only to onPrem • RL Example: • TA UNC3944 uses Serial Console to deploy remote management software
  23. 50 50 -> Find Passwords -> User Enumeration -> Password

    Spray -> Conditional Access Bypass -> Abusing Dynamic Groups -> Abusing VM Contributor Role Lateral Movement Privilege Escalation Defense Evasion Initial Access Reconnaissance
  24. 51 51 Conclusion • Be careful when exposing information publicly

    • Use built-in protection features from Microsoft • Look at configurations from an attackers perspective • Keep an eye on you CA Policies and Dynamic Groups • Don’t be lazy! (at least in Cyber Security J)
  25. 52 52 [email protected] thesecurityguy.ch [email protected] manuelmeyer.net Marco Schmidt Manuel Meyer

    Description Link GitHub of Beau Bullock (Azure Pentesting Tools) https://github.com/dafthack MicroBurst Toolkit for Attacking Azure https://github.com/NetSPI/MicroBurst Website of AADInternals https://aadinternals.com Hands-on Azure Pentesting Training https://cloudbreach.io/breachingazure Microsoft Penetration Testing Rules of Engagement https://www.microsoft.com/en-us/msrc/pentest-rules-of- engagement VM Contributor Role Abuse RL Example https://www.csoonline.com/article/575297/attacker-uses- the-azure-serial-console-to-gain-access-to-microsoft- vm.html Video about Passkeys from John Savill PASSKEYS - What they are, why we want them and how to use them! (youtube.com)