Abusing Azure Arc: From Service Principal Exposed To Reverse Shell

hello everybody uh thank you to be here my name is Christian Bon I know it's a difficult name if you're known in Italian as a speaker but you get used to it uh today I want to present abusing AAR from service principal Expos to reversal uh I'm a penetration tester working at mer group mer group is a pharmaceutical company and I work in the offensive security team we mainly do web application pen testing directory and infrastructure I also do some research my free time mainly at directory Windows internal and everything that is Windows undocumented and you can find me on EX byes on Twitter or LinkedIn so what is aarch uh aarch is a aure service that allow you to connect

servers from your own premises environment or internal infrastructure or other Cloud platform to Azure itself so you can control This Server from the cloud right and you have different service there like monitoring aure defense aure sentin aure security groups you can also run commands through aure common line tool so if you want you can simply connect back and run command the way that this works under the hood is that you have an agent running on these servers your internal infrastructure and this agent connect back to Azure and now you have a communication challeng between these two right an example of this you see here my own server is in my internal infrastructure is server 01 uh you can

read the domain name the fully fully qualify domain names my domain is.com and on the left side you have a bunch of options like settings and other resources and features that you can use right the important thing to understand here is that uh to use aurar you need to you need to have a service principle right because the server needs to connect back to the to to the cloud so needs to authenticate so you need to create a service principle before you're able to join a new machine to the cloud in my case uh this is my service principle should be hybrid IRC and of course you need to create a Secrets right don't try to use my

secrets because it expired but yeah you need to create your own cigarettes and after you do that uh Microsoft uh suggest you three roles there is the first one that is for on boarding then there is for the second one for kubert ities and then there is another one for administrator's task right in my case let's assume that we give to the user the first rooll and the last one right so we can onboard new machine and we can control aarch when you want to add the servers with aurar you have three options right you can add a single server or for example you can add multiply server H in our presentation we are going to use the

second one so so we add multiply servers to the cloud right this is used when you have more servers your internal infrastructure and you want to Joy them uh at the same time right you don't want to do manually do one by one so when you click when you click that that that link you you um bring back to this to this page where you can select the deploy method that you we can use and in my case we're going to use Group Policy right so we're going to create we going to create a GPO and when this GOP is applied to the OU then all the machine and that you are going to start the onboarding phase and join the

aure AR right and if you read here in the second points uh Microsoft uh tells you that you have to create a remote share when you are going to load the windows installer package and this network share need to be accessible by uh by domain computers admins and domain controllers Okay the third point that you need to follow is that there is a deploy tool kit that Microsoft provides that you need to run to deploy this uh this technique right so if you see here when you when you go to the the link uh you have this uh deploy tool kit this a zip file and when you open it you have mainly three scripts uh two scripts in one power

shell module deploy gp. PS1 enable aarch PS1 and aarch deployment. PS1 right so you have these three scripts the first script uh is a script that needs to be run executed in a domain controller and makes the follow of actions is deploy the aurar servers on boarding gopo in the local domain so it's create the GOP and it copies this other scripts enable a. PS1 into into the shares and as you can see here what we do we pass two parameters the service principal ID and the service Principal Secret and also we we pass other information like my domain in this case ex by.com the report server qualify domain name is the server where you have

the share and also you pass the network share in my case arc on board share and other information like the subscription ID the tenant ID okay and what what it does the scripts create the GPO right in fact when you run the script then you can check and you see that there is a new GP that is created in the network usually has the syntax and you can find it quite easily the other script is enable a. PS1 and is the script that is basically is going to be executed by the server and it's going to do a bunch of check in the beginning check if the machine is an Azure VM or is a non aure VM you check

the framework version the power version and then it's going to install the connect the agent on the machine and it's going to connect the server to Azure AR and to do that is going to use the service principle right because it needs to authenticate to the to the cloud and the last script is is a module and this basically wrapper for dpapi and G I'm going to explain why is there and what is used for so when I was studying all of these uh my question was okay where is The Secret store and now is protected because the the server needs to take the secret Som out right because he needs to authenticate so where where is this

secret this secret is in is is in the file that was copied during the deplo G deploy GPO scripts was running and is in this file and you can find this in the network share that we previously created uh to load the windows install package but the problem is that if you're going to see in the file inside this file the secret is encrypted right so if you try to open it and read it it's it's encrypted so how this is encrypted is encrypt using is encrypted using a Microsoft Technology called DPG so how many of you knows DP API okay it's enough okay so DP DP API ngg is the evolution of DP API it was

introduced by Microsoft in 2008 2012 I'm not wrong and this basically allow you to encrypt a secret uh using a user or a computer account and this secret to be decrypt by another user or another computer account in your ad environments right so for example you are a directory user Chris and you want your secret be decrypt only by user field okay so in this case you can use this technology to use a seed as a descriptor let's call it protector and only that specific seed can decrypt your secret okay it can be a group or it can be another user right another object in ID generally speaking the condition is you need to be

inside the domain because you need to be able to contact the domain controller because with the domain controller you get the key that is necessary to decrypt the secret okay otherwise you cannot do it it's not like DP API so for example this is the function the windows API call that is used to encrypt the secret and as you see there is the F line here the scriptor this is basically the seat right so it's the seat that you need to specify when you want to say Okay I want this C to be decre by this specific seat right so is a seed protected block you don't need to know a lot about thei to exploit this vulnerability that

I'm going to show here but if you want to dive deep into this take a look to this uh presentation it was uh done in 2017 at the blackout so she will dive the much more that I can do on this technology how it works under the wood right so why I explain DPA behind G because if you're going to look into the scripts I show you before deploy gp. PS1 you're going to find this line of cod and you can read by yourself the comments encrypted the service principle to be decrypted only by the domain controllers and the domain computer security groups so if you see there is this function protected basic C4 and

this means that um the secret here is the secret Principal Secret the service Principal Secret is going to be encrypted using the descriptor right here you see the the first parameters and this descriptor is composed with the domain computer seed and domain controller seeds so you can already see the problem I believe because right now with this configuration any computer accounts in your domain can decrypt the secret right because this is the the seat that was used as a descriptor and this is the Microsoft base configuration you can change it of course you can use another seed if you want but if you don't do it this is what you get you get a secret that is

encrypted and can be decrypt by any computer accounts in your domain and if you're going to see in the other script the enable AR that is the script that is going to be run by the machine what he does he use the opposite function this is UN encrypted basic C4 and it decrypt is going to decrypt the secret and it can do it because it's the computer account right so let's let let's exploit it let's let's try to use this feature to gain the service principle so uh we have the scenario is this right we have successfully penetrated internal Network we have a user account this in this case Chris in act directory and we identified

the network share containing Azure deploy directory right when there is the secrets so the first thing that we can do we there are different ways how you can get a machine accounts in aat right you can compromise a computers or easily you can create a machine account with machine account quotes Okay this a this is a wellknown Mis configurations uh if you do penetration testing you will find this quite easily in many clients infrastructure and in my case this user can create uh 10 machine accounts right so a normal user in your ad can create a machine accounts so what they did was you can import Powermat right this is a tools that is used to create

machine accounts and you create effect 01 computers and you you impose your own you set up your own password in my case is 1 2 3 4 5 6 and now you have a machine accounts in your ad environments now that you have your machine account you have to authenticate with it right uh you can use runs with net only flag probably is the easiest way or you can simply do uh pass the tickets so you can use RW to authenticate like this machine account as you can see here there is the user fake 01 is the Ash and I do pass the ticket so now the TGT is in memory and so we are authenticated F

01 because as I explained uh the secret is encrypted with computer account as seed uh now we can simply uh use the same script that I showed you before the same functionality the same function like unprotected basic C4s we can grab the secret and as you can see because we have have the computer account TGT memory the fake 01 we can decrypt the secret and take the value there right so this is one way to do it of course there are other others um tools that you can use this is one of them is a service is called secret management DPI andg it does the same things right you use the the function in this case

convert from dpapi NG secrets you get the encrypted secret and you get the pl text value right so basically we start from a a normal domain user and now we were able to escalate to the cloud so because we have a service principal Secrets what about the rest of information right the rest of information can be found in Arc info. Json this file is in the same share folder where you find the secrets and inside this file there are the other information that needs to connect to the cloud right the tenant ID the resource Group the subscription ID the service principal client ID right now that you have all of this together with the service principle you can

simply use the Azure comma line tool you can log in with the service principle right and because this service principle has uh administ admin roles you can enumerate all machines that are there and you can also run commments in this case what I did was to run a basic C4 reverse shell right and I got uh the shell on the server and the interesting part here is that you are system right so basically from the internal infrastructure I moved to the cloud and now from the cloud I move back to the servers because now I can compromise everything that is there everything that is connected to Azure AR right so let me show you a video PC

before me before move on can you see it right no so so this is my user Chris it doesn't have any special privilege is a normal ad user account so let's check the domain this is my domain now the next things we want to do we want to the network share in this case the network share is accessible to everybody because I wanted to show you that this secret is not cannot be decreed by a normal user but normally this network should be accessible by computer accounts so we have the two files the first file Arc info. Json contains the rest of information we need to connect to azure

and then we have the encrypted service principle secret file that is encrypt right so we cannot read it with this user so let's try to decrypt see if if user Chris can read this secrets so we're going to use the module that I show you before

and we get error right because we are a normal domain user so now what we have to do we have to get um a computer account right so let's see if we can create a computer account right so let's see if machine account quot is there and we can exploit it right this is one of the many ways you can do it of course if you can get a computer accounts in other ways it's the same things it doesn't matter this case is equal 10 so we can do it so we are going to import power met

not power cut right now we can create our computer

account I think fake 01 already exist so let's create fake 03

so now it's going to check if this computer account was created correctly and is there in the

domain so now what we have to do we need to authenticate as this um machine account right so we use rubius our favorite tool with the password that we know because we just created it and we ask for a [Music] TGT and now we have the ticket right and it's in [Music] memory so now let's try again to decrypt the secret and now it should be possible to do it because this TGT is in

memory same Comm like before and now the secret is there right so now we have the secret we have the other informations ah there is also these methods that you can use to decrypt the secret if you

want and the result is the same right the TGT is still there so now we can authenticate to the cloud right we are authenticated and we can move laterally right we can start numerate but is there we see that there is a server 01 is connected to aurar right so now let's try to get the reverse shell from there

of course we have to run a listener with net

cut right now we're going to use aure common line tool with common run command and then this is the basic C4 reversal right it can take a while because the agent needs to connect back to to Azure so sometimes doesn't work so smoothly and then you get the reversal right so let's go back

here okay so the conclusion very briefly uh so this is represent a new Vector attack Vector that aers can exploit to move from on premises environments to the cloud and to the cloud back to on premises right uh it's important in my opinion to always review Microsoft scripts okay so don't use the default configuration always read what you're running before you're running right because sometimes you have this this configuration that are too broadly uh in this case uh one things you can do to avoid this problem in your infrastructure is to create a subgroup of machines right that you want to on board to aarch and use this seed the seed of this group as a protector as a

descriptor right in this way you can at least limited the attack through face because right now with this configuration any computer accounts can decrypt the secret but if you create a subgroup of machine and you use this SE as a descriptor in this case the attackers needs to compromise one of these machines to move laterally because any computer account wouldn't work in this case right so so so this is this is the first suggestion create a subgroup of machines the second suggestion is be careful with the roles and the permission you give to the service principal right in this case I gave administrator permissions and that's why I was able to do this game otherwise

would be impossible so use always the less um less permission as possible you can give to the users right so it's not a bulletproof system this one because that if you create a subgroup of machines the attacker can still violated one of these and move laterally but at least the attack surface is and the impact is limited okay and so do do you have any question for me yes I know

during the deployment the deployment this is done with the GPO so usually the administrator is going to apply the GP to the machine that he wants to on board right and when the GPO is there there is also the network share somewhere so the the point is when the attacker can identify this network share it can take the secrets right so uh you can try to limited access to the network shares but if you do it then the computer account cannot get uh the secrets anymore so this is this is the game and the the problem is to limit the number of machine who can who can access the secret probably this is the solution oh

no Lo yes or or block the login yeah but but if you block the logins then the machine itself canot on board anymore so what you can do is you can give one specific permission to the service principle like the on boarding permission so the only thing that they can do is onboard new machine so you cannot run commands right so this is could be this is you should you should do it for sure if you can I don't know if you can do it I probably probably it could be another things yeah but uh the service principle uh is necessary because the deploy GPO needs that service principle and it needs to connect to Azure so you need to pass

this information somehow uh it could be much more useful to limitate the things that the service principle can do right so limited the permission as possible and just on boarding it should be fine right do you consider

restricting yeah okay um for sure machine account quotes uh doesn't need to be there okay this is a misconfiguration that you always report when you find during pen testing okay because it's very easy to do it uh the problem is that a environments has many misconfiguration from for we ACL to any other things you we certificate right so when you are there getting a machine account I don't want to say that is always easy but it's always possible most of the time right so you have some vulnerable I or some weak password or some other problems with policy and you get a machine accounts okay or you have maybe an exploit right you have an

exploit you can do RC into servers you get local administrator bum you have a machine account you dump from memory mimik cats and you have a machine accounts so yeah it's it's very difficult to avoid uh to to protect machine accounts right it's a little bit easier with users but with machine accounts it's it's complicated

okay okay than you