BSidesSF 2023 - Advanced Attack Vectors in Azure Environments (Zur Ulianitzky, Bill Ben Haim)

hi everyone and thank you for joining today I'm really excited and I have a big light in my eyes so I can't really see your faces which is good um our topic for today will be Advanced attack vectors in Azure environments unfortunately I was supposed to present it with my colleague bill but he had some passport issues and Kent really came to the US so each part of the session is recorded and we will see it later on so stay tight and I hope you will enjoy the session so before I begin who are we so both me and B live in Israel my name is jerulianitsky I'm the VP research at XM cyber my colleague is Bill Ben Haim he's a security researcher security researcher in the team we have the best experience in penetration testing red teaming in and actually a lot of research areas actually Bill and myself met each other when we were young and practice Judo we both were in the Israeli National Team and Bill used to beat me all the time but now I'm his boss so we're in a good shape so our our agenda for today will start with some Azure fundamentals in order to better understand the different topics we will touch today we will continue and talk about initial foothold possible ways to gain into Azure and tenants we'll continue and talk about two main use cases each one composed from multiple and different abuses within Azure environment we will continue with best practices and some cool bypasses to different Microsoft security measurements that are set in place within the Azure tenant and we will finish by introducing XM good perfect so I will start by talking about some Azure fundamentals I won't elaborate a lot about it because the couches look really good and I don't want it to fall asleep but I will only touch on the ones that are really important in order to understand the topic today so whenever we're talking about Azure in general there are two main services that are important to understand the first one is called Azure active directory I guess most of you are familiar with it and the second one called Azure resource manager in general Azure active directory is where you manage all the different identities and principles within the Azure tenant those can be users groups or applications service principles managed identities and so on and within Azure resource manager we usually manage different infrastructure Services provided by Microsoft such as virtual machine storage account databases and so on it is important to understand that there is a high coupling between Azure active directory and Azure resource manager this can be seen good in this diagram where in the top we can see the Azure active directory server a service who actually everything is associated to it within Azure resource manager so whenever you are applying any type of permissions you are doing any type of assignment within Azure resource manager those are replied to Azure active directory principles who managed their within the tenant there is a really a common attack Vector where you can abuse a user that has the global administrator a role definition within Azure active directory and you can actually elevate your permissions and get a role assignment of the user access user access administrator role definition within Azure resource manager using this real definition actually allows you to create a new role assignments within Azure resource manager and actually compromise and get your hands on any type of resource within Azure resource manager perfect so I will continue and talk a bit about the permission model in Azure environment and I will begin with the resource manager as you can see in the picture role assignments within Azure are actually composed from three different main objects the first one is called the security principle and this can be a user a group a service principle and a managed identity within the role assignment the security principle is actually present to who we are going to assign the permissions the second object is called role definition and World definition is nothing more of a set of permissions that you allowed to do and not allowed to do in this example we can see the contributor predefined role definition and we can see that the contributorial definition has all the different possible permissions that are exist within Azure resource manager this can be seen in the action section in the image and we're removing some authorization permissions as you can see in the note actions section within the real definition the last object is called scope and actually scope is to where we are assigning the permissions and where those permissions going to be valid there are four different types of Scopes that you can Define within Azure resource manager role assignments the first one and this is the bottom one is actually the actual resource that you have been created so by using it you can assign permissions directly Associated to a specific resource such as storage account a database and so on the second type of scope can be a resource Group So within Azure whenever you create any type of resource you must Define the resource Group who is going to host the twisters the next possible scope is called a subscription usually you are assigning your billing account per subscription but in terms of role assignments and permissions this is just another layer that you can decide on within the scope and the last one is called the management group and this is just another top level kind of scope that you can Define within Azure who usually hosting everything below it in general it is important to understand that whenever we're assigning a permission the permission will be inherited down to all the different Scopes that we decided so in this example we can see that the Marketing Group received the contributorial definition on the Pharma sales Resource Group this means that anyone who resides within the Marketing Group will receive the permissions on the former sales Resource Group and any kind of resources that have been created and set within that with us group the next permission model is azure active directory as I said those are Azure active directory industrial resource manager are completely different Services they have a lot of similarities but some differences as well so in terms of permissions it's really similar you can see that we are again defining three different types of object a security principle a role definition and a scope where the scope is a bit different this time where you can Define the scope to be a tenant an administrative unit or a specific Azure ID resource in addition there is a big difference between the maturity of those permission models where in Azure resource manager you can create any type of custom role that you would like with any kind of permission and within Azure active directory you can't really do it and usually you're going to use the predefined ones so I'm pretty sure some of you are familiar with global administrator application administrator and so on foreign promising I'm done with some fundamentals in general the different use cases that we will see today are starting a with the assumption that we are somehow could could get our hands on some type of credentials or identity so I just wanted to go over some basic ways in order to gain the initial foothold towards Azure environment so the first and the most common one is by using some social engineering attacks such as phishing brute forcing and password spring this will allow us to get our hands on some credentials of users and then abuse the different permissions attached to them the second possible way is by exploiting a vulnerability on a public-facing a service such as virtual machine this will allow us to abuse an identity that is attached to that public-facing resource in order to do and start doing our lateral movement within the Azure tenant itself another possible and really common way is by actually buying some compromised accounts in the dark web those are pretty cheap and sometimes also MFA claimed so even conditional access or any type of MFA set in place can be biased by using this type of method Azure actually have a CLI tool that you can use which is called azcli whenever someone is using that CLI it is storing locally on the machine on default paths it can be a short-term access tokens of users and clear text Secrets or certificates related to Applications so if the attacker has has access to the internal network of of the environment it can locate those kind of files extract the credentials and then get the initial photo Microsoft did a really good job integrating on-prem domain environment and Azure active directory this is done by using ad connect which I will elaborate in the next slide but in general you can abuse those features in order to get your initial foothold so one of it one of the typical ways to do it is by abusing hybrid environments where the same device is connected both to on-prem domain controller and Azure active directory and having a foothold on those kind of machines can allow us to generate PRT tokens that will allow us to get our initial foothold into the environment in addition there are more capabilities that you have set in place within Azure active within Azure ad connect utility and you can abuse different types of SSO features in it in order to get the initial photo perfect so as I said Microsoft created a tool named adconnect the main purpose of this tool is to synchronize on-prem domain environment toward Azure active directory this synchronization actually going to sync different type of users and groups that are located in the on-prem domain controller to Azure active directory in addition using this tool will allow you to authenticate using the same on-prem users to Azure active directory and authentication can actually be done using three different types of authentication methods the first and the one that Microsoft recommends to use is password asynchronization this type of authentication is actually synchronizing the on-premise ntlm ashes of the users to the cloud and then all the different authentication and authorization validations are being done in the Azure active directory side but there are many organizations that don't want or can't do the synchronization and take outside from the internal Network the credentials to the cloud and because of that Microsoft added two different type of other authentications the first one is called Pastor authentication and whenever an organization is using this type of authentication once the the user entering these credentials those are being sent to the domain controller to the on-prem domain controller and this is the one who does the validation of the credentials and obviously you can use adfs in order to do the Authentication later on the talk during a build recording we will show a nice abuse of the pastry authentication agent but we will get to it perfect so we prepared two different use cases today the first one is called from external user to sensitive data and for every use case we will start by showing what we configured in the environment in order to do it so the prerequisite for this one starts with an Azure ID user with some reader permissions and in addition we configured and set in place an Azure active directory application with some Microsoft web websites permissions those permissions will allow us to compromise a function up later on so obviously we also need to have a function up set in place and in addition we will assign to that function of a user assigned managed identity and we will give to that identity some permissions over key Vault that will allow us to read and get some secrets and over some storage accounts that will allow us to list storage account containers storage account themselves and blobs and also read the files within them so this is a nice diagram we created that represent all the different types of things that we will do in this use case we will start in the left side with the specific user as I said everything in this session is assumed Bridge which means the attacker was able to get his hands on a specific user uh then after some enumeration the user that the attacker will do he will be able to understand that he has some owner permissions over an application and abusing those owner permissions will allow him to reset the secret related to that application and then authenticate as the application then the attacker will do some reconnaissance with the service principle Associated to that application and it will be able to understand that he has the permissions to add an sem user to the function app and I will touch later about what is SCM and with some more enumeration and reconnaissance he will be able to understand that the same function of as a user assigned identity attached to it and because of that it can generate an access token for that identity and abuse it for an additional lateral movement in the environment and then the attacker will be able to read some blobs The Blob will be a protected zip file and the protection password will be stored in the key Vault and we will see how we can enumerate and get our hands on the secrets and the sensitive file perfect so the attacker received or bought doesn't really matter a user and then it starts to do his reconnaissance in the environment most of the things we will show in this lecture uh we'll use the accli tool provided by Microsoft or some random rest request that you will see later on so the attacker actually start by using the Azad up list command this command lists all the different application applications that have been created within the tenant doing so will reveal multiple applications and the next thing is the attacker would like to do is to check if he has ownership on any of those permissions this can be done by using the Azad app owner list and passing the ID related to the application that we wish it for and we will see that one of the applications in the tenant actually owned by John user who is the user that we are using right now perfect so the next thing that we're going to do is to add a secret to the application this can be done by using the Azad up credential reset command which will create in response a new password or secret related to the application the next thing that we can do is authenticate as the application and check if the application has any more permissions set in place so we we have been authenticating with the application and the next thing that we want to do is to do some reconnaissance within the Azure resource manager so anything you saw till now was against the Microsoft graph API which is the one who is behind Azure active directory and from now we are going to do some reconnaissance in the Azure resource manager so the fact the first thing that we would like to to Recon is if our application has any role assignment attached to it this can be done by using the AC role assignment list command and providing the application ID and as we can see the application have in place a role assignment the role assignment is on a specific subscription which means that all the permissions are related to that subscription and any type of resource created within that subscription and the role definition represented within the trail assignment called function of editor and the next thing that we want to do is we would like to use the AZ rule definition list command in order to see what are the kind of permissions we have been in place related to this application and this will actually reveal that the application has the function of editor a role definition as we saw earlier this is a custom role definition which means someone which was me and he created it behind the scene in place and we can see in the action section of the permission that we have some some permissions over the Microsoft web provider which is the one hosting the function of uh apis so the next thing that we would like to do we would like to exploit the function of a and in order to do it we need to see if the function up actually has any type of function set in place so by sending a rest command towards the Microsoft website's endpoint it will reveal that there is a function created within the function up named XM function that we can try to exploit later the kind of exploit that we're going to do is adding a publishing user to the sem panel but before that we need to understand what is the SCM panel and actually sem is the administrative interface related to function UPS app services and logic apps which is automatically created whenever you provision a new service which is one of those behind the scene the sem is an open source tool called kudu so you can also check the code and what it does behind the scene and actually an attacker that has access to this administrative panel can execute some operating system commands on the infrastructure hosting the function up you can Harvest some Secrets some passwords some sensitive data from it and most importantly you can actually generate new access token related to the identities attached to this function up so the next thing we want to do is we want to exploit the SCM panel and the permissions that we have this can be done by sending this post request that actually contains within the body and other put request that the backend going to send this put request will be against the publishing users endpoint that you can see in the end and within it we're going to generate a new sem user his username going to be attacker xm12345 with some password and as the result we will receive an HTTP 200 status code that actually says that the user have been created and now we can try and authenticate with that user to the sem panel of the function up this will actually allow us in the diagram to continue When jumping from the service principle that we created the password to into the function up so we will serve using our browser to the SCM default URL and with some basic authentication we will authenticate with a newly created user and now we are residing within the the infrastructure hosting the function up and we will start and do some more enumeration in order to do if the function of as any user assigned identity is attached to it because if we do have it we can try to create an access token to those identities and then abuse their permissions and do some additional lateral movement in the environment so this can actually be done by sending the get request to the site's endpoint and passing the XM function which is the name of the function up and we can see in the response that actually the function up has a user assigned identity attached to it the name of the identity is key Vault underscore storage account underscore reader and there is the client ID related to this identity the next thing that we will do we will create a Powershell script that we will run on the using the SCM panel with the user we've just created this script is going to create an access token to the identity that the function up has behind the scene so running this Powershell script will create an access token that we can then use and continue our relateral movement with the with this identity the next thing that we want to do is to create another Powershell script in order to do some more reconnaissance so we will start by doing the reconnaissance and listing if there are any storage accounts in the environment within storage account you usually store some containers and blobs within it with which is the equivalent of the S3 bucket that I'm sure everyone here is familiar with so this can be done by sending the following get request to the storage account endpoint and as a result we can see that there is a storage account in place named super secret stuff XM thank you we will continue and do some additional reconnaissance on that storage account to check if there are any containers set in place this can be done using this Powershell script which will send a get reques