From Red to Blue: Security Strategies in Azure

all right Tech gramlin are out of the way everybody hear me all right um disclaimer I am filling in for somebody who um originally had a talk and I got called what three days ago to give this so if it look looks a little disorganized and um so on on it is so I put it together um hopefully can offer some useful information to you feel free to ask questions interrupt raise your hand whatever you want um start off who am I I my name is Anthony Hendricks um I started off my career at NSA um doing all sorts of things for them it was exciting work um lived out back East for a little while um from there I

transitioned over to um doing some training for um the US government uh both NSA US Navy um various other other agencies um that was a lot of fun as well I taught a lot of um young kids at a boot camp which was very interesting I tend to water sorry um then from there I moved over to um red teaming so I I did penetration testing and red teaming um as a contractor for the government for a number of years and that was anywhere from DHS to DOD um various other agencies as well and then I I joined um stage two security here in Utah and that was my my chance to to move back home I grew up um

up in Logan um now live in Salt Lake City area uh so join stage two security which is now ultraviolet security um and UltraViolet uh is the combination of a bunch of different companies and we have you know focuses in red teaming pen testing um and then various other Security Services MSP um that sort of thing uh I've spoken at um bides a few times now um I've done training at at bsides I've done training at black hat um if you want to learn more about Azure and Cloud security we I have a a black hat course that that Bryce and I teach um uh how however if it's on your own dime um reach out to me we'll find

another way um if somebody else is paying for it um come sign up for our class it's it's a lot of fun we get a lot of good feedback we updated constantly so um yeah it's pretty useful we focus on the the three major clouds so AWS Azure gcp and um pen testing and um secur doing security assessments on those clouds all right so Basics um Azure itself Azure is um a cloud platform uh its authentication mechanism is is called entri ID that'll be a focus of a lot of what we talk about today um compute they call them virtual machines pretty simple um whereas you know ads is instances or um gcp is like Cloud instances uh where it

gets a little more fuzzy is their block storage is called Azure blobs so blobs um indicate block storage which is just a general storage um serverless is called Azure functions um these can be uh python uh node and C sh I believe um so serverless means that you are providing the code you're providing and what you want to execute and the cloud provider takes care of the rest um container services um is there con well container service is their container um provider um they also have a kubernetes service as well um they call their CDN a delivery Network and their data warehouse SQL Warehouse so we got some basic um terms out of the way

um enter ID formally Azure ad um and this is where I go into my rant every time about um calling it Azure ad was a terrible idea because it had nothing to do with active directory and so everyone who looks at Azure ad they say oh I want active directory in the cloud that sounds great and and that's what they treat it as um and then they'd get frustrated and annoyed and couldn't figure out what they were doing with it and end up doing things like assigning all permissions because they couldn't figure out how to um navigate the permission set and so I think calling it Azure ad um was a a big disservice to it

um so switching to entra ID I don't really care for the name but at least it's not Azure ad anymore um but what is it it's an authentication platform and it's a a web- based authentication platform so you have all the typical um web-based authentications that you're used to um like saml and O um oidc and then it's a user and permissions management framework um so you can assign um applications to a user that's signing in through this framework what it isn't it isn't L app it isn't Kerberos um it doesn't have a tree based organization so it doesn't have a hierarchy in inheritance like you're used to and it doesn't have group policy now it does however tie into on

premise active directory if you wanted to use that um that on on premise active directory as your authentication um Source well as as the source for users for your authentication and this can be done through a bunch of different ways um there there are pros and cons to each one one um but the first one here password hash synchronization is quickly becoming the preferred method um and what this is is basically you have an agent on a computer that's joined to your domain um and it takes a hash of the password hashes so it while it hashes each individual hash and then it will um store that in the cloud so when you authenticates against um entra ID um

you're authenticating against this hash of a hash that's stored within the cloud that's synchronized on a on a regular basis um it used to be that this was a one-way um process so the act of directory on premise was your source of Truth and then um if you wanted to update a password you had to go back to that actor directory and change your password like you would normally um they've since added what's known as password write back which allows the cloud to reach back and change the on premise password um so this is uh has has some benefits but the the primary one is that it's resilient and that if this connection between um the cloud and your on premise

breaks for whatever reason whether you're um internet connection goes down whether the server that's running this Azure ad connect goes down um it still functions um albe it it doesn't have updated passwords so if somebody tries to change their password locally and that connection is severed then um the updated password doesn't get sent up to the cloud um but it does function if if the connection's broken um the next one pass through authentication um this one uses an another agent on on your local network um and when you try to authenticate against a cloud service um it will pass that to the agent the agent then contacts a domain controller um performs the authentication step and

then it gets pass pass back up the chain back to the cloud and you get your approver deny um this one the the disadvantage is if that connection goes down um so if your um on premise server goes down for whatever reason um authentication breaks because there's no no longer that agent to pass the authentication over to the domain controller um the other interesting thing about this is um this host now becomes a host that's doing all this authentication against your domain controller and um one of the things attackers love to do is get on a host that has a bunch of users active on it and run mimic cats um mimic cats can dump the cach credentials so um

credentials that are used in that authentication process um will be stored on this host so it becomes a target for attackers um the other interesting thing is you would be able to um do things like the domain golden ticket attack from this one um because this host is generating keros um sessions over and over again um it has that information the key material there um to do a the dump the golden ticket and then Min your own um ceros tickets uh there have been some other like theoretical attacks um talking about using process injection to inject into this um ad connect process and then proxy um or ex ract out the usernames and hashes as they're being sent over to

the domain controller um but they're mostly theoretical but keep the the point is um that these these systems that are connecting to active directory should be protected at the same level as your domain controller because they essentially have that kind of access there's a final one um which is very common but nobody recommends it uh and and I think it's just because of this active directory confusion that happened with the name and that is it's called adfs um active directory Federation services and basically you're inviting the cloud to be a tenant within your local active directory um and it has um all the all the permissions and trust that you would expect to happen when you invite you

know a new tenant into your um 8 forest and so while it it sounds good on paper because you're you're just eliminating all of the middleman all the middleware that's doing the proxying and all that um it's also accepting a lot of risk and a lot of complexity in my mind because now you suddenly have expanded your active directory out and you have to have to be able to manage that um so almost everybody that I've I've seen right about it in the last you know three to four years have have said that adfs has only a very few um cases where it's necessary and they usually involve things like um archaic Hardware like you're using some sort of smart card

authentication that um hasn't been maintained in a long time and so it only works against um using uh active directory itself and so it doesn't support any of the um you know web-based authentication to do um to do your um web authentication that would pass through the cloud it would have it's expecting you to do like a curos and then use those session credentials so it's It's Quickly becoming um obsolete in my mind however see it all the time still all right so how do I find out if a domain is managed by um by entra ID and this is mainly for attackers you know if you're running a pentest if and you want to check to see what what cloud

services they're using um you use this URL right here um you replace it with a it doesn't even need to be a valid user it needs to be just the valid domain so whether it's their um The Domain that they use for email or if they have one of the dot or at on microsoft.com domains um if you've seen those um you well that that would be obvious um because you'd have on Microsoft but if they have a domain um set up with entra ID and you use this URL put in a username um at the Domain you'll get one of two responses the first one is unmanaged um self-explanatory there it basically is telling you um if we don't know what it

is if you get some other um some other value and most of them say something like this um namespace type managed um but depending on the Services they subscribe to and various other things you may get a lot more information out of this and there's there's a ton of information from um aad internals which I'll talk about a little bit later on you know basically using ENT type methods so open source you know no authentication type methods to gather information about um what's set up within a domain um they also helpfully provide you a valid account check um this is also free is in there is no um logging repercussions there's no um fear of

getting um banned or anything like that um you visit this URL and Supply a post request with the username and it'll come back and tell you whether it's valid or not valid um so if you're an attacker um my first step is going to be go over to a service like dehashed where they have you know troves of um cracks passwords and usernames and um start testing those usernames see which ones are are valid still and then you'd have a list of you know potential passwords to use and valid user accounts uh there's a tool based around this called 0365 creeper um all it is is a wrapper around this post request um so you you can do it yourself

or use this python script um pretty easy all right service principles um all they're also known as um well service accounts from back in the day so if you have like an application that needs credentials for something um you would provide it a service account and you know set up the permissions so on and so forth um this is now called service principles within um within Azure and ENT ID and basically the the ideal setup for this is you tie it to um an application instance and when you're setting up an application whether it's your own homebuilt application or something you're importing um there's a model that um Azure uses to um tie this together and so they call it they call

it resource groups so you set up a resource Group for your application the resource Group is designed to contain everything that lives within the life cycle of that application so if you have credentials like a service principle if you have storage um a database all of those things would be tied into this Resource Group and um the idea is that when you're done with the application you want to tear it down um you delete the resource Group and delete everything within it that means you don't leave things like service accounts hanging around that um nobody knows what they're for anymore and that's you know there plenty of times on a pent test we would um come

across a service account that still exists has domain admin because they didn't know what permissions it needed and we'd use that to then you know walk through the network and it you know it happened more times than I can count especially on wellestablished government networks um we'd walk in and run something like Ponder and see um accounts advertised and then we'd be able to crack passwords they'd usually have something simple because they didn't think about using password management so they do a keyboard walk and call it good and so this is the idea of a service principle and tying it to an application was designed to to remove this risk or at least mitigate it a little bit um in

that you when you remove the application you remove the re Resource Group and you remove credentials that are supplied with it um these service principles can have a few different methods for authentication um username and password like you're used to certificates um and then there's um something else we'll talk about um and managed identity and what this is is azure can manage the credentials for you so you have an application that needs access to say a database um which it can also control and basically what you do is you um you set it up so that when your application needs credentials it will contact UM the manage service identity endpoint and request those credentials it will be supplied with a um session

token and key which will be valid for uh I think the default is 15 minutes and you'll use those credentials on whatever service it is you're trying to access um so database um vaults password or Secret store or something else and then um after that 15 minutes the token's invalidated and youd need to request it again benefit to it um if you have an say a vulnerability in your application that provides these secrets um they're only valid for a short amount of time so at least the attacker has to go through the work of requesting them over and over again in order to get them um it also requires you to um be able to

connect to the um MSI endpoint uh which is internal networking um it's a or Azure Cloud magic um to set this up so notice if you can read that it's kind of small the the MSI endpoint is actually running on Local Host but it's not running on Local Host um it that's just how it's provided to the um compute instance here and then you have to be able to um do a post request with the MSI secret that's there as well so um ssrf attacks are out because you can't uh do a post request um you know external attacks are out unless you can get um execution on the host to um contact the endpoint so like

I said this is often used with um Azure key vaults um key vault is the Secret store um I say key Vault lots of people just say Vault but I like to see you know Azure names at keyal um and there's also Hashi Corp has a product called Vault and so I I I try to spe keep them separate because this is a an Azure specific product it's not a you know C software and basically Azure key vault is the Secret store provided by Azure um and there there's a few different ways um to authenticate to key volt so if you have an application that's um that's older and doesn't support managed identities or it runs you know someplace

else so Azure key vault is accessible outside of the cloud so if you wanted to use it for your on-prem services as well you'd be able to do that and so that would put manage identities out of the picture in terms of compatibility um so you have service principle and a certificate these are x509 type certificates um so you can use that or you could use a service principle and secrets um which is just username and password essentially and once you access that you have um you would be able to explore whatever is provisioned within Vault for um that identity and this is where um where we get back to the resource groups we were

talking about earlier um you can have have um thing items stored within key VA that are specific to a resource Group and that Resource Group uh once it's removed you can also remove these secrets stored within key volt so you don't have um Secrets hanging out that um nobody knows what they're to all right moving on from there there's a concept called a consent Grant within um Azure inra and what this is is I'm sure you've encountered it before um it's you know it's not specific to Microsoft Google also has it it's an oath tool um and basically what it is is you can um provide an oath application um permissions to your data um in this

case your data stored within Azure and and entra and what this is is once you accept the permissions request here the um consent Grant which is an aure specific term for it um you're providing some amount of permissions to this application and these permissions can persist even through um when the when the user is not active on the system system or within the application um an example of this is um everybody's seen the kendly type plugins where you know you can add a link to your email that says set up a meeting with me and you know you click on the link and it shows you a anonymized calendar of you know free and busy times

so what what the what's happening in the background is that application has access to um the user's calendar and so when somebody interact somebody else interacts with that application it reaches out to the user's calendar data um and then presents it um so it has many useful things um but the problem is that it's being abused quite a bit right now so there there's been several fishing campaigns around consent grants where they try to get the user to um click on a link that takes them to an application um asks for permissions and then once permissions are provided they slurp all the data they can and pull it back and and see what they can do with it and this can

provide all sorts of things it can provide the users data users email users like SharePoint access um if they have specific access to service principles so if they're provided access to a um you know credential for something um that can be within scope of this um Microsoft has realized this and over the the last several months they've been restricting um some of these higher permissions to um what they call Publisher verified apps um which just means that Microsoft has verified that the company is a real company who produced the app um and I don't even know how stringent the process is um I'm betting it's they want you you to send them an email from a domain associated

with the company and that's probably the extent of it um but they have at least restricted permissions a little bit to the um some of the more sensitive ones such as you know SharePoint access um and they also have a lot of work under the hoods for your you Azure admins um under consent workflows so um if you have somebody within your org who um grants consent to one of these applications if it happens to be an application that nobody's seen before that nobody else in your or has used before um you can have it run through a separate Approval Pro process where it um maybe gets a second set of eyes before um the actual permissions are

applied um but I would recommend regular audits of these applications um it's fairly frequent that I've seen applications that nobody know nobody understands what they are um and they have terrible names and um you know the user doesn't remember even clicking on the link and so I I'd recommend going through auditing those um on a regular basis you know so they a calendar event for you know every three months or something like that and review the applications um granted cons sent within Azure another interesting thing um especially if you're an attacker looking for methods for persistence um is this idea of guests and guest sync um so one of the interesting things about um enter ID is

that you can invite external users to be part of your org and that means they have a a Microsoft account through some other company um and you invite them to use those same credentials within your organization as well that means you don't have to worry about managing a username password email address any of that um they have access and then you can set up you know whatever permissions they need in order to do their job you know a common case where where you might do this is if you have like a parent company and a Child Company something like that where they may need the Child Company needs to have people that can work in both systems or um something of

that matter uh I've seen um msps use this as well so if you have like a a security provider oh I'm way over time apologize all right so guest sync terrible thing if you abuse it um you can have external users you can also have them automatically syn um synchronized to a group within the remote org conditional access talk to me about that later MFA is cool um there at the end here is a bunch of tools that um I just wanted to have on the slides for you to take a look at if you wanted to audit your security so um take a look at those I'll post the slides up later uh and then I also have

Azure goat here which is a uh fully Deployable um Azure environment where you can go through and practice techniques of stealing um tokens to expand your access so worth taking a look at um there is where I post the slides I'll have them up a little bit later today