APT Attack Techniques in Azure Cloud

right now we have AP attack techniques in Azure Cloud by Lena Lao so let's welcome her to the

stage hello testing all right awesome hi everyone thank you so much for joining me my name is Lena or you can call me inverse uh as some of my internet friends call me today we're going to be talking about AP attacks in Azure Cloud I want to set the seat a little bit and talk about why we are even talking about the cloud in the first place as I'm aware not everyone is in the red teaming or blue teaming space I really like this write up from checkpoint but essentially since 2022 there's been a 48 increase in 48% increase in the types of attacks that Infiltrate The Cloud specifically in our region uh in the Asia Pacific region

there's been a 60% increase so even more the reason why this matters is because 98% % of organizations are somewhat fully in the cloud or have some kind of hybrid model in the cloud now this brings me to the problem and why we are even discussing attacks in the cloud the first the first reason is there is a high knowledge barrier around what attack techniques exist in the cloud once you've worked your 100th business email compromise case you can feel the soul leaving your body but I'm here to tell you that there's more to than business email compromise jobs and more to life than token abuse there are a lot more attacks that Infiltrate The

Cloud that aren't po popularly known and not many writeups talk about it the second reason is a lot of the remediations that happen after an incident response Focus solely on the on Prem environment or solely on the cloud environment now threat actors are evolving so typically now what we're seeing with black cat ransomware group and alfv is that the the way that they deploy their ransomware is now moving into the cloud space for example they also encrypting storage containers sitting in aure the third is that there's a lot of misconceptions around the cloud and namely these misconceptions uh lie around how strong MFA is and I'm not talking about you know stealing tokens or you know MFA

protects you but more the fact that in the omem environment we've got ntlm hashes but in the cloud environment we've got tokens and if a threat actor steals a token it bypasses the need for MFA and then lastly most organizations are fully in the cloud or hybrid and threat actors know this and they utilize this in their toolkit attacks in the cloud it's not a thing that like outside of business email compromise these more Insidious attacks I'm talking about are already happening I'm not going to go and like talk about the history of each one of these threat groups but just to give you little tldr for example lapsis group abuse techniques that allow them to

persist in Azure adid okay I mean entra ID uh allow them to persist in enter ID apt29 loves to use lateral movement techniques like skeleton keys and golden seml attack ap28 also a Russian nation state threat group they like to leverage attacks that focus on abusing service principal accounts in Azure or abusing ooth 2 in order to persist inside the Cloud environment ap41 likes to do things like abusing Legacy authentication protocols in the cloud and I can't really talk about threat actors without talking about the big cloud elephant in the room which was the storm 0558 bridge that Microsoft recently published a massive write up about and so did whiz this was where the CH alleged Chinese threat Group found a

crash dump in a Microsoft system where a race condition resulted in in a signing key being present inside the crash dump this allowed the threat actors to forge multiple tokens in order to access various resources inside the cloud this resulted in the breach of multiple organizations in the government various government organizations because I only have unfortunately 20 minutes with you guys today I can't go into as much detail as I'd like but what I want to give you guys is one example of of an MFA bypass technique that involves token dumping that is not super welln and this technique allows for lateral movement from the on Prem into the cloud environment the second thing I'm going

to talk about is on-prem to Cloud lateral movement techniques but I'm going to talk specifically about skeleton key abuse and then lastly we're going to wrap up the scene and talk a little bit about why do we care where is it going what can you do it's not all doom and gloom okay okay I think if you guys are on Twitter and if you work in IR or red teaming you would have seen a lot of bright UPS talking about token abuse or MFA bypass what are tokens every single time you log into a resource in Asia and by resource I mean things like uh like uh like Outlook like teams like yam I always use Yama for some example but I

actually don't know anyone who uses it uh maybe some people do I can hear some laugh me uh so what happens when you put your username and password and you approve the MFA token Microsoft then issues you a token and it's literally just a string that allows you and grants you access to the specific resource you want to access the reason why this is a primary target For Thread actors is because it circumvents the need for MFA once a thread actor has a token no matter how many times you reset this person's password and reset the MFA it doesn't nullify the access token if it only impacts the refresh token which means the thread actors can still

persist and log in as your log in as you no matter if you changed your passw 100 times I really like this write up from the security researcher called Mr docs uh I've got the full link on the screen if you guys want to read his original write up but this is the technique okay every single time you open up your laptop and you open up PowerPoint or you open up Excel how how does this application know that it's tied to lenow company.com and lanow company.com is the license for this product the reason is this particular each one of these Microsoft Suite apps actually store an access token in the memory space of the process and so

conventionally when we think about blue teaming detection techniques historic well not historically like I mean even now there's a lot of lexicon and conversation ations about oh my god look for look for dumping of Elsas look at Elsas but a thread actor doesn't necessarily need to go for Elsas if they're trying to infiltrate the cloud they can create a dump of your Excel process they can land they can fish you so let's say they fished you they're on your PC they can see your talking with your friend on teams or they want to open up Excel whatever it is they target an office executable they create cre a dump of this process using the less sexy method of using task manager

you can use assist internals tools you can use run d32 you can look for any kind of low bin that has a mini dump export function that you can abuse in order to dump out uh create a little mini dump once you create the dump you all you have to do is grip inside the dump file for the string ej0 which is typically the starting point for something something known as a JWT a JWT is a Json web token and it's the encoded version of the access token embedded inside this processes memory if you're a masochist of course you can use wind dbug but there's no need you can just grap it and look for this

string what you'll find if you go home or go to your job and experiment with this on UPC is you'll find multiple multiple jwt's inside the application process once you itate through the application process you can use this web this just like this website jw. and you can paste the string to figure out what this string even maps to like what's this string for so in this instance you can see this particular token that I've taken pertains to access to Outlook so I've gone on this person's PC I've dumped out Excel a blue team's like oh what's this person doing why she dumping out Excel I've taken the JWT and it pertains to an access token to Outlook

and then from there it also tells you the permissions so now I know oh God I got Lena good I can log in as Lena I can send email as Lena I can read Lena's mail I can do whatever the hell relating to inbox as per those API permissions I'm not going to go read them all out to you I think it's pretty self-explanatory uh what what each of these apis do but if you think about it the access tokens that you steal are not just for Outlook it could be for Microsoft graph it could be for SharePoint it could be for one drive you just like it just depends on what jts exist in the memory

space okay now I want to steal all of Lena's emails all right let's use Microsoft graph to do that all I have to do is send a post request paste in this token that I've stolen pointed at the graph API for messages completely bypassed MFA and it will completely spit out all of Lena's emails I've reducted it for obvious reasons because I tested this on a court machine as you can see it's I I've dumped out emails relating to stuff from December pretty cool let's talk a little bit about lateral movement from on Prem to the cloud and some more sexy methods of doing so there's three methods of hybrid authentication sorry there's three methods of hybrid hybrid model set up

that exist you can use something called entra ID password hash synchronization you can do pass through authentication or you can utilize something called Federation why do we care why am I sitting here giving you a system uh sis admin conversation around all these things because depending on the hybrid authentication model you pick it leaves you vulnerable to a specific attack for example password hash synchronization how this works is all your on Prem hashes are sent into Azure or or synced into Azure this means a thread actor can man in the middle the synchronization process and steal all the hashes in transit the second method pass through authentication means every single time I open up uh teams in the browser Outlook in

the browser whatever resource in the browser I put in my username put in my password all the stuff I typed gets actually sent unhashed all the way back to a server sitting on Prem where there's a pass through authentication agent that takes my credentials by the way unhashed in plain text and then says okay yeah lenus password's correct and then allows me to access what the resources that I want to access this method is vulnerable to a skeleton key attack the third method Federation is where you open up a browser and you want to access a resource and this resource goes okay I'm now going to take you to organization's login page when this happens you know you're in in a

federation model this method of hybrid authentication makes you susceptible to an attack called Golden saml why am I even pointing this out I've seen blue teams create threat hunting hypotheses in a federation environment looking for password an attack on password hash synchronization it completely doesn't even make sense it doesn't match the threat model so knowing what kind of environment you're in especially when you're doing an incident response allows you to gain insight into what kind of attacks even would apply we're going to talk about skeleton key attacks and the reason why I picked this attack to talk about today was because this attack was seen in the wild leveraged by a Russian AP group back in

August 2022 what these thread actors did was they created a back door that Microsoft named magic magic web and on the right left right right and left are they flipped okay on the other side of the screen I've got a Twitter screenshot of an awesome security researcher called Doug beanstock I I really recommend you guys follow him I'm not sponsored to say that I just think he has awesome research uh as well what is the skeleton key for people who work in blue and red team you would be aware of the concept of a skeleton key when applied to Elsas a skeleton key is simply a technique where you take a process and you back

door it AKA injecting some kind of code into it that allows you to perform authentication now how the skeleton key attack applies to pass through authentication is a thread actor instead of focusing on Elsas they can focus on the Azure ad agent that performs the pass through authentication so the agent where all every single person in the teny passwords are being sent unhashed to and the thread actors can backd door this and sniff out every single password relating to all the logins how does this work first a thread actor so the pass through authentication agent sits on the server that manages the authentication right and the executable is always called and I don't remember this off my heart Azure connect

authentication agent service that is the executable name that you look for it's always called this you take this particular executable and you inject a dll into it unfortunately we don't have to to talk about DL injection methods but you can inject your dll into it and you can patch a specific API call to log on W log on user W which actually handles the uh whether or not your username and password is correct check and then when you patch the function it's going to run your malicious code and your malicious code can do anything it could go let's store every single us username and password and plain text let's add a secret password called I love frogs so I can

log in as any user in the tency with the password I love frogs and it will automatically circumvent the authentication check and then in order for the actual function inside Azure ad I'm not going to read the whole executable name in order for that function to continue flowing it doesn't really need any information from that API call all it looks for is whether or not authentication is correct or false and so all you do is just forward the request on and then return the result and it executes as per usual and the method that you do that is this application or this application this executable invokes a call to this Windows API key this Windows API key

we've hooked and you can do this using an inline trampoline or whatever hooking method you want to use and it runs our malicious code our malicious code then stores a man in the middle logs every single username and password that's ever typed in to access a tency logs it into a file adds it to a pipe however you want to do the xville or you can add a secret password and then literally just forward the request through to the next API and execution flows as per usual if you do not like to program and you don't like to build your NLS uh my wonderful ex colleague Nest story built an awesome uh offensive framework called

a internals he's basically uh wrapped up everything I just said in terms of hooking this uh injecting a dll and hooking the log on user API and all you have to do is run like install a internals and just run install a into PDI spy and he just literally does it it does the whole process in the back end but I do recommend building it out yourself because it's pretty simple to detect this tool now what his tool does is it creates a hidden folder on a user's machine and it will store all the passwords that someone ever typed into a little file and in this instance Henry is just sitting in his bed sitting

sitting in bed trying to access Outlook 7: a.m. doesn't want to work types in his username and password that gets fed back through to the pass to authentication agent the agent's already back doored by the skeleton key attack and it's pushing and logging everything into a CSV file on a hidden directory that a threat actor can use and abuse actually go back a step the method that you can make this even scarier is a lot of the times blue teamers think about detection very statically okay Technique One let's DET this technique 2 let's detect this but they don't think about like what happens if you chain multiple different types of techniques together for example a thread actor

could take their little Cari machine or whatever machine they want to use figure out what the join this machine to Azure ad enter ID and then download and install the part authentication agent on their attacker machine skeleton key their attack a machine grip and steal man in the middle of the passwords and then remove this machine from Azure ad you've now created a situation where there's an absence of logs pertaining to the skeleton key attack cuz he attacker has done it on their own machine but what you can see are signs of malicious device join and maybe a download of pass through authentication now if you read about a lot of the writeups centered around more

of these Insidious attacks like skeleton key and golden Sul you'll come across wording and lexicon like adfs could have been exploited skeleton key may have occurred and the reason for that is the difficulty of detecting these attacks is Paramount especially when it comes to an attack like golden saml where the adfs server right off the bat even if you en aable verbos Mo verbos uh verbos logging will not actually log signs of you accessing the specific encryption key or ex exfiltrating the certificate from the system these things aren't logged in the security logs they're not logged at all unless you enable five to six different manual things in order to detect it which makes detection for this extremely

difficult especially when there's other techniques like a thread actor can spoof logs that actually show up inside entra ID and so now you've got it's almost like a like a Snowball Effect right you do one technique you add another one you make it more complex and now the scale of attacks that happen in the cloud now seem almost it's very difficult to figure out what actually happened so what is facilitating these techniques and what can you do so we've already talked about the fact that there's a lot of cloud adoption everyone's moving to the cloud we know this but the issue with logs inside enter ID is that there's a lack of clear defin definition around what

impersonation means on the Microsoft n you see a token was used to log in and the only method of figuring out out if this is normal or not results in you having to focus on like really lowlevel ioc's like an IP or a user agent or something like this but it doesn't give you contextual understanding of what's happened and that's not Microsoft's fault because on their end all they see is a legitimate token was used to log in so they are just displaying the information that actually is correct now another thing is a lot of uh people on Prem or security teams don't think about the server the ad connect server they don't treat it the same way

as their domain controller you know they think of the DC as the keys to the kingdom but your ad connect server is the keys that Grant a thread actor direct lateral movement straight into the cloud and thread actors are capitalizing on the lack of knowledge and the lack of detections around it most of the detection rules and most of the conversations around the cloud for some reason are still centered on business email compromise and fishing and you know this kind of thing it makes sense because it happens all the time but these other types of attacks are happening it's just there's a like a education issue occurring and then lastly thread actors know that all your data is in the cloud

like if you think about your normal day-to-day workflow you're working on documents together with your team on one drive maybe not one drive like SharePoint or you're doing things in the cloud you're you're chatting on teams you're sharing documents and teams prot actors know this so some questions for you guys to consider especially if you're in the blue team or in the red team um not the red team a blue team or you're you have a internal security team are things like what techniques is your blue team aware of what techniques can you detect and what is the level of logging that you have enabled in order to detect these attacks I've seen multiple incidents where uh uh the

incident responders go okay it's a cloud incident let's just look at the cloud logs without realizing that if it's a hybrid environment half of the context actually exists on on Prim and then lastly thinking about what logs are actually being stored I'll give you an example there was a recent write up by whiz around Microsoft exposing a SAS token that allowed access to uh data stored inside a storage container entra ID AIT logs will not tell you what someone accessed in a storage container neither will unified audit logs these this this data is completely lost unless you have manually gone into the diagnostic log settings and enabled that audit level detail so this is a little screenshot of

an attack Matrix that I built around 6 seven months ago that highlights every single one of the attacks that impact Azure cloud or entra Cloud I'm still getting my head around it uh unfortunately you know I'm limited in time can't talk too much about everything but I do have a training course as well uh that covers every single one of these attack techniques in detail how to detect it and how to respond to it or you can just go on the website and download this for free uh I've got this like everywhere and with that thank you guys so much for listening uh if you've got any questions I'll be around during the break outside so come say hi thank

[Applause] you