Breaking Entra: Real-World Cloud Identity Attacks You Can Recreate

Yeah, it works. >> One, two, one, two. Working. >> Yeah. >> Okay, >> everyone. So, today we're going to talk about Entraote. H. Entreote is a deliberately vulnerable entry ID environment designed to simulate real world attack scenarios in your own entry ID tenant. And before we'll jump into everything, we'll talk about ourselves just for few sentences. So my name is Tom. I'm security security research team lead. And my name is Jonathan. And by the way, Tomer is my boss. H. So yeah, on our day-to-day job, we are basically researching various identity related attacks and mainly in the Microsoft ecosystem. So active directory, entro ID and even a little bit on octa. So what are we going to talk about

today? At first we're going to give a little bit of a background story to what um are goat projects and why we developed entrago. Then we're going to jump to identity is the new parimeter. This phrase comes up very often and we're going to talk about why identity security is important. Then we're going to talk about privilege escalation paths in enter ID and then enter finally and of course the scenarios inside entra goat. So goat projects um before we talk about everything anyone of you tried a goat project before a AWS goat a goat not many okay maybe yeah >> I see >> that's nice so gold projects are a family of deliberately vulnerable environments in different time of fields

it can be CI/CD it can be AWS it can be Azure it can be many other stuff and they intentionally emulate attack scenarios and attack paths in the environment Um, and it looks like a CDF and it's pretty cool. You try to learn, you try to break stuff. Um, very recommended. And that leads us to why we didn't develop um, entertain anything in the security world. Um Jonathan told me today well he didn't tell me today he reminded me again today that he when he started doing security and he actually started with doing CDFs because it's not only teaching you theoretical stuff it also helps you try stuff yourself again hands-on experience with breaking stuff

and ant ID was missing its own goat project and like we said there's AWS goat Azure goat CI/CD goat and we wanted to create one for ant ID because we love ant ID Um and the last thing we wanted to make Entra ID more accessible for everyone. We know many people these days have interest in identity security and in particular in ENT ID because it's very much connected to Azure. You cannot have um an Azure subscription without an ENT ID tenant connected to it. So we wanted to create something so everyone can try and break ENTRA. Um, identity is the new perimeter. This phrase, like I said, comes up very very often these days. And what we learn is

that by acquiring an identity of any security principle, you can bypass many network restrictions such as getting into a VPN, going through a firewall. So now you can breach the perimeter without even breaching the perimeter. You just need to acquire an identity of this organization. If we ask Claude how many sources site this uh phrase, we can see there's over a hundred sources that says this, but probably there's thousands. Um, pass the microphone to Jonathan without passing the mic. >> Thank you. Um, so this phrase identity the new parameter, uh, it's already a buzz word at this point. In my opinion, it's not correct anymore because it's not the case anymore. It's non-human identities are the new parameter and let

me maybe double click on that issue. Um so if we take the latest report by Microsoft uh from 204 about the state of multiloud security report um can you read it by the way okay so guys hear me out here they're right today there are one human identity forever 10 workload identities. uh workload identities are basically service account identities, non-human uh identities. Uh this problem is even more acute among small and mediumsiz businesses which have one human identity for every 550 zeros uh workload identities. So there's a lot of workloads identity service principles identities and in addition to that they they even mention out of the 209 million cloud identities identified in 2023 50% plus were super identities. So you

might be wondering okay 50% it's not that bad what even a super identity can do. So from the same report guys and let me read it out for you. Super identity a user or work of identity that has access to all permission and all resources across your entire cloud estate. In my opinion this is not super identities. Uh it's super ultra duper promax uh identities. Okay. and and even add to that uh there were three human super identities for every seven workload super identities. So if you take that into into consideration it's not identity is non-human identities are the new parameter and indeed it's broken. Ah and what's last uh metrics uh 2% of all

assign human and workload identity permission were used. So we have like 50x more permissions than needed. H the the same thing apply to the next one. And guys this is by Microsoft the right the guys that that produced this product. Um and if you talk about Microsoft let's take uh an example uh straight for from there time when they got breached by AP29 midnight blizzard. Uh this happened I think in early 2024. So basically Mitiga wrote a fully report on what happened allegibly happened. Um but at the end of the day the attack path is very very straightforward. Okay. So AP29 uh got access uh by password spraying um a legacy test account in their legacy

test tenant. Again the words here are very very important because uh I'm sure that many uh people went over this uh document in order to save any trouble for Microsoft but again uh a legacy test account got compromised then but somehow it got an ownership over a legacy of application and that application has a an identity inside Microsoft own cooperate tenant and maybe this connection uh might seem a bit I don't unclear how they move from one tenant to another. So let me just uh elaborate a bit on that. So whenever you uh deploying an application in your enter ID environment, you're basically creating two identities, not one but two. Okay. Um the first thing is the

application registration which is an identity that have all the um all the scope uh defined in it all the blueprint of the application all the redirect URIs in it uh but it's not the security principle meaning it's it's not it's not the right uh principle that get access to uh all the resources this is the service principle itself. So the application registration define all the scopes and all the blueprint regarding this the identity but the security identity behind the scene is the service principles. So uh you can define in one tenant the application itself and then deploy it into another tenant and basically have this connection from legacy of application to a service principle and the moment we read that

report we knew that we wanted to include it in our uh in our entry go scenarios and we did exactly that. H if you will able to see here the mark line they say uh by mitiga the app all assignment read write all in particular suggest the attacker could assign app role and manage permission across the tenant a credibility that will significantly amplify their access and control over corporate resources and we were like okay so basically let's recreate that let's recreate that attack path exactly as it is without the initial access because there are many ways to get initial access to a given tenant And we did just like that. We created the first two scenarios you will encounter uh when

when entering entry goat are those taking control over a service principle and using it uh its authentication context in order to private escalation and move laterally within the tenant. Okay. And by the way, one last thing uh this highlight the importance of service principles inside the tenant and and in fact service principles shape in our opinion the current landscape of private escalation in enter ID. Yeah. So now that we know why security identity security is important we're going to talk about what is going on in ENTRA. Um it's a mess but it's a beautiful complex mess. So there's in modern Android environments it are just gold mine for attackers. There are so many privilege escalation paths that it's crazy. You

have over permissioned applications, stale group memberships, mism service principles and just general misconfigurations that happens in an enter environment on a regular basis. All of which can lead to a total tenant compromised with just a few steps. And we put a lot of emphasize on that in entra because you will see it just takes a few steps to go from a low privilege user into a total tenant compromise service principles. Jonan just said that non-human identities are very important and we think are the most critical objects in your environment because they are unique, important and very dangerous. They have usually long lived passwords and certificates that you can use to authenticate as the service principle

and they operate differently than users. They operate in an app only context and that lets you bypass security controls like MFA and conditional access policies. And for those of you who don't know, conditional access policies are like GPOs in active directory. Um, it's a very big thing in our opinion, but you don't just need to believe us when you say there's a lot of attack paths in ENT ID. You can look at Microsoft and what they published that 58% of organizations have at least one attack path in their environment. 7% have over a thousand attack puffs in their environment. That's probably thousands or maybe hundreds of thousands of organizations. Um, and on average, yeah, there's 351 attack paths in any

organization. >> Those are big numbers if you ask me, by the way, guys. Like, yeah. Um, so just to reiterate what we said in the beginning, Entreote is an open-source deliberately vulnerable entry ID environment that designed to simulate real world attack scenarios in a test tenant um, in a CTF style for you to have fun. So this is how entert looks. We designed it ourself and the UI was made by ourselves using cloud. There's six challenges in different difficulty levels. There's beginner, intermediate, and advanced. For each challenge, you have a unique story to give you a real world feeling for this scenario. You have the starting credentials. It can also be a certificate. You have a setup script and

a clear script that we'll talk about in a second. you have a place to submit a flag because it's a CDF after all. And there's hints to build on top of each other h in case you need them. But looking at you, I don't think you need any of them. Um, okay. So maybe to talk about uh a little bit more about uh our goal behind uh developing entert

beginner friendly. So even if you never touch enter ID, you can jump right in, follow uh the steps and learn basically on your own how to exploit the whole tenant. Okay. Um so as you saw earlier in the UI itself, there are three beginners um scenarios, one intermediate and two advanced. Okay. Uh again really pushing on the points that we wanted to make it very very beginner friendly. Uhhuh. And by the way, by the way, uh everything is written in native PowerShell and Microsoft Graph SDK. So there isn't any third party tooling importing in that. You can basically read the solution scripts for each uh scenario and understand what's going on. There is everything from enumeration uh

to exploitation being done there. And by the way uh we got out we got out of question how much is it cost to deploy uh the scenarios it cost zero because Microsoft basically charge you on resources not on identities. Okay. So uh when I develop it with Tom we maybe h deploy around thousand times uh f scenarios and our cost still remains zero. So it doesn't cost much. Um and a bit more about the challenges themselves. Each challenge comes with three unique uh files. Okay. Uh the first file is the setup script. So basically you run the PowerShell script in order to deploy uh the vulnerable environment into your own test tenant. Then you have a cleanup script because

we do not want to leave your tenant vulnerable to any attacks after you learn the module. And we also have a full solution walkthrough and a blog post on the Seris website on how to solve everything and all the background uh behind each attack. H so the cost of each uh of the tool we get a lot a lot of the question about it but the second most popular question we get is can we run it in production environment. I kid you not guys it's a true question. It's a true question. You should not run them in production environment guys. It's a deliberately vulnerable uh deployments. Do not run them in in production. Okay. Um so let's jump right ahead into

the scenarios. We're going to go through over the six scenarios. If you have any question uh throughout the presentation themsel or the scenarios just raise your hand and we can do it like that. Okay. The first one as we previously saw is very simple. You are a low privilege user that have an ownership over a privilege uh service principle um which has the role of PA which is privilege authentication administrator. This role can basically reset and set every password or for any user in the tenant. So uh in Microsoft enter ID ownership is a feature because you want to delegate administrative actions. So a low privilege user can be an owner of a high privilege service principle and the

attack path is very straightforward. You basically add a client uh a client secret to the service principle. You authenticate uh in the app only context meaning you operate in the in the context of the application itself. uh and that way you can get its privileges and reset the global admin password. Very very straightforward again really beginner friendly just to grasp the understanding the initial understanding of what it look like to operate uh from an application context. The next scenario again very very simple uh you got you're getting a certificate and you're getting asked to find uh which identities belong to this the certificate you enumerate the environment and you find out that it belongs to cooperate finance analytics

application and if you remember this uh role permission we saw earlier in the migga report and on how Microsoft got breached by AP29 this is the exact same scenario Okay. So the the solution for that is again very very straightforward. You use a certificate you authenticate at the service principle and then uh you're using the app or assignment readrite all permission in order to grant yourself another permission because basically what this permission allows you is to grant yourself or to an identity in the tenant another permissions. So you grant yourself a privilege permission which is role management readr directory which allows you to grant any identity in the tenant any role you you want. So you use

it in in order to grant yourself the global admin role and then you basically reauthenticate in order to refresh the JWT token and reset the password of the global administrator. Okay, those were were the two uh straightforward scenarios. The third scenarios uh introduce a little bit more complexity to the attack uh chain to the attack path but again it's it relies on on previous experience you gain in h in those initial scenarios. This is how it looks. Again you are ownership you have ownership over a group this time not a a service principle identity but basically the same thing. If you're an owner of a group, you can add yourself as a member to that group and then you can inherit

all the privilege those groups has that group has. Um this is how it looks the attack path. So if you are an owner of a privilege group that has the role application administrator, you can basically add a secret to any you can basically back door any service principle within the environment. So what you do in this scenario uh you add yourself to the group. The next step is going to add a back door to a privileged service principle. That service principle is also a member in a given group, a privilege group and you use it in order to reset the h the password of the global administrator. Again we're literally building the the knowledge of

the attack path in enter ID. Scenario number four, again very very similar to scenario number three, but we added another component to the mix and that is PIM uh which basically allows you uh to set a specific time or activation period in which you can activate a given role uh or ownership. So a low privilege user has eligible ownership over um a privilege group and the attack path looks like this. You activate the ownership. First thing first, you find the ownership. I know it took very straightforward the attack path. You go from A to B to C. But in the scenario themselves, we really try to make them realistic. So, uh there are multiple identities deploy in each scenario. So,

you don't have just one eligible ownership over a given app admin. You have like five and you have to understand which of those groups are able to help you to private escalation your way forward in the tenant. Okay. Um in addition to that uh you need to activate uh the role that the group itself has and then just like in scenario number three um you can set tap temporary access password on the global administrator. Any questions this far guys? Yeah. Get back to scenario number one. >> Three.

Isn't that true? >> Okay. Uh so when in order to add yourself to a group, you don't need any uh anything to be exact. If you are a group owner, you basically can manage the group and you can add whenever you want whenever each identity you want to that group. So there's no need to any other uh more uh per um allowance basically. >> Okay. Then I may have mixed it up when you add another application that has to be granted first, right? >> What? Sorry. >> If you have an application that's been granted uh access uh specifically, then that has to run over global admin, right? I think so. >> I didn't understand the question. I'm

sorry. >> Okay. I come back to you after the talk. >> Okay. Thank you. Okay. Um so those were the four first scenarios. The fifth and sixth scenarios are a bit more complex and because we wanted to explore different attack path that are not uh beginner friendly but much more complex but more fine uh and show more features within enter ID. So scenario number five which is called department of escalation. Are you ready for this? Um okay. Um so once you authenticate to the tenant as a lo privilege user um you enumerate uh the groups that you are part of and the eligible membership in other groups and just like the previous example in scenario number four you found yourself

that you have two eligible assignment one for eligible owner of a privilege group that have a very specific scope in which it's h privilege on. Okay, it's called administrative unit and you find you also have eligible membership in a custom role. Again, user profile administrator is not a built-in role within enter ID. It's a custom role we built in order to showcase that even the least privilege uh uh permissions such as uh user basic update can cause a lot of harm if you don't use them correctly. Okay. So this very basic uh action it's called in documentation user basic update can um update and change any properties on any identity within the tenant. It's basically a feature for IT

admins in order to change departments to uh change name to change uh basic properties. But if you combine it together with a with a a a privilege role over a specific AU, okay, that means that this group is only privileged on that specific AU only on the HR department users. But if you combine the attack path from above with the one down there, you understand that you can edit any properties on any user you want. So you can cause it to be added into the AU and then you have control over it. So you can visit its password. Okay. Uh very very realistic scenario by the way. Scenario number six is our most complex one and

it's indeed complex. Um let me walk you through uh the short version of it because we don't have a lot of time. Um one interesting point uh to say is that you can't assign a service principle ownership over another principal ownership. You can't do it via the UI the Azure portal or the admin center but you can do it uh through uh the direct API call and we did solve that in uh many of our customers because it's really useful for automation tasks. Okay. So instead a user manage another service principle let's make it automated that a serviceable specific can manage another one. Um it's really useful feature but again this can be exploited and the the exploitation is

very simple in in that case is that if you're an owner like we said earlier you can add yourself h you can add a back door access to it and authenticate to it. So in this case there are three steps. You first authenticate as a Terrence McKenna user to this as a service principle. Then you authenticate you add a backd dooror secret to the other service principle and you find out that service principle has the role the permission of organization read write all uh this permission basically can add any root certificate authority to the tenant. um but it's not useful if you you're you can't authenticate with a certificate to the tenant. So the above attack path

basically allows you to enable CBA certificate based authentication in the tenant and that way you can combine those two together and um add a root CA a evil root CA uh to the tenant and then use it to sign um a certificate for the global admin and then authenticate with that certificate as a global administrator. That's it on a very very uh speed run of the scenarios. Thank you guys.

Any questions? There's one.

Yes, of course.

>> Um, so

Okay. Um so the permission itself organization read write allows you to uh manage um the orwide um configuration in the tenant. One of there are many orwise configuration in the tenants such as branding such as metadata for the organization a lot of stuff but one of them and it's very hidden in the documentation of Microsoft by the way is the ability uh to add your own uh certificate authority to the tenant. Okay. So in this attack path you literally create your own erh private key you deploy with opensl uh certificate authority and you add it to the uh to the root tenant. Did I answer the question or miss it completely?

You can have more than one certificate authority in the tenant. You can you can have like five. So if you had another one, there's no problem in that. If I didn't answer it fully, please come afterward. I will I would be glad to talk about it uh one more time if I didn't answer it correctly. Any more question guys over there?

>> Huh?

>> Hello. So, as you said, entry ID is super complicated, right? And I'm curious about your opinions on if you feel like Microsoft has taken enough responsibility to reduce some of that complexity for CIS admins who have to spend quite a bit of time learning the ins and outs of the permissions and what's possible with each one especially related to workload identities. And then second question uh what would you recommend Microsoft change with the workload identity experience to make it easier for CIS admins to do correctly? O those are really two big question. First uh the first question was about uh do we think Microsoft are doing enough? And the answer to that I think is yes.

Uh I in my opinion at least I think they're doing enough. Um it's a really uh long answer but I'll keep it very very short and I and I say that uh each each big system will have its own complexities and difficulties to manage. Okay. And in my opinion, the more configurable you make it to be uh the more you can do with that. Um so that's for example why I really love Android and hate iOS is because I can I can I can configure my phone differently. So um I see those things as features not as bugs. But again uh the place for a lot of misconfiguration and mismanagement really cause it uh to have a lot of

attack path in each enter the environment. And the second question please remind me I already forgot.

>> Oh >> it's a hard question. What would I change? Um I think I will start by making them one identity instead instead you of you having uh two identities one application registration and one enterprise application uh service principles I will just make it one and all the management will be on that one last thing guys we finish we have like six uh shares like this merge if you want h so the first six to come to us will have this awesome shirt. Enjoy. >> Thank you. >> Thank you very much. >> Thank you.