2024 Security BSides // Matt Kiely

hello everybody besides Cayman my goodness super cool to be here any conference that I have to like blow the sand off of my laptop is a good place and it's a place I want to be um so thanks for attending I want to give a massive massive thank you to like all the organizers uh James RJ everybody who put this together the staff the crew this is an outrageously beautiful island and it's an outrageously set of people that I've been putting uh excuse me let me try take two action I'm nervous um it's an outrageously kind set of people who have been putting this together so I just want to say thank you for that um

so welcome to the talk I we're off to a bad start in fact this is this is kind of embarrassing um because this isn't a technical talk at all so if you want a technical talk this probably isn't the place to be this is actually a therapy session um because I've been going through a bit of an identity crisis lately let me be a little bit more specific I've been going through 1 million plus identity crises lately this is identity crisis this is combating Microsoft 365 account takeovers at scale uh through this talk we're going to learn a little bit about the attack surface of Microsoft's implementation of the cloud their system of authentication identity what attack

Primitives lead to exploitation of that attack surface and how we can combat it and hunt it at scale so this is a technical talk I was just kiding that's a dumb joke that I throw into the presentation uh agenda today we're going to talk just brief who am I a little bit about framing the problem why we're here what the attack surface of azure and M365 and entro kind of looks like um we'll talk a little bit about our key Telemetry sources if you want to hunt this stuff down you need to know where to look in the first place and then we get we get into the fun part of this which is the attack and defense section

which is where I kind of sort of teach you let me phrase this the right way how crimes are done I'm not teaching you to do crimes I'm teaching you how they're done there's a big difference I don't condone crimes uh we'll a little bit about uh session token theft credential theft o off consent Grant attacks device code fishing and then we're out should be a quick 50 minutes and then I'd like to leave some time at the end for uh questions that's not me that's me um so my real quick my name is Matt Kylie I'm one of the principal security researchers at Huntress I am their lead researcher for their identity detection response uh platform uh former theater

kid former red teamer I used to Red Team banks in my pajamas all legal all ethical I assure you uh malware reverse engineer I teach reverse engineering at TC M Security Academy practical malware analysis and triage I like to say I'm a bow maker because if this if the huntress sock are The Archers I make the bows right and I guess the arrows uh in that analogy um I was at MIT Lincoln laboratory at simspace I was in the Marine Corps and I hiked the Appalachian Trail uh last year I've got two great amazing cats and an amazing wife who happens to be in the front row right here so hey um so let me start out by kind of

framing the the problem here even before we get into kind of the technical stuff um I want to start by saying this is James Bond I think we all wait no I'm sorry this is James Bond yeah no that's not even right I'm sorry this is James Bond there we go this is James Bond James Bond is the best spy that never existed right if there's a mission assigned to him by m he's going to figure out a way to do it um and he can basically get the job done right and James Bond is a fantastic representation of what my adversary is not all right now that's very important because when we get into the topic of red teaming

penetration testing adversary emulation not all of those things are equal all the time because a red teamer a pentester an adversary emulator May pick a level of tradecraft associated with the common adversary for that given organization and I protect the small to medium businesses at Huntress and so the good news is that the adversaries of the small to medium business are not James Bond I'm not fighting your nation state I'm not fighting your advanced persistent threat whatever that means anymore um here's the bad news for me at least the adversaries of the SMB aren't James Bond because they don't have to be right so this frames some of the attack and defense that we'll be talking about

here in a moment because a lot of the time adversaries of the small to medium business are very predictable and they operate in predictable patterns and it actually is summed up by Dre AA who's the lead of our stock who says in one of the blogs that we've released most of the tradecraft that we've documented in this blog post it doesn't exactly matter what uh that blog post is um isn't novel original or outstanding cyber criminals are rarely sophisticated and the infoset community can beat them together through data analysis through implementing defensive Technologies so we start from there right because I pay a lot of respect to the advanced red teamers I was a red teamer at a bank so the Hoops

that I had to jump through to even like stay alive on the endpoint in the first place were absolutely insane got harder by the week but we're not really dealing with that here and we're not really dealing with that in the cloud space for the SMB I would say that the adversaries of the SMB are a little more like your average run-of-the-mill car theft like like just checking door handles to see if the car is open and if the car is open they open the door they grab something on the inside that's really more who we're dealing with but I want to uh all of this is to set the stage we're going to talk a little bit about uh attack and

defense in a general sense but just keep keep that in mind that that's kind of the land that I come from right now so I started red teaming enterpr big big Enterprises like multi-billion dollar uh corporations The Fortune 500 Banks um and it took an adjustment for me to know what's going on in the SMB because I was like really that's that works wild but anyway I digress what I really want to get across is that most of the time my customers and I bet a lot of people in in this room maybe would uh identify with this my customers will not get a second shot at this so they're small business owners this is like your

doughnut shop on Main Street this is your auto body repair shop uh this is like your strawberry milkshake uh s like like there's small business owners that probably sunk their entire all the money that they did have and did not have into their business and so a single identity attack might cost them an amount of money that that puts them out of payroll for an entire month or an entire quarter right and that really means in the identity space we could apply that to ransomware that if a small business owner gets ransomed they could easily be out the money that they had for for pay but that also applies to the identity space because business email compromise

is the thing that we're fighting most often right if you're not familiar with business email compromise let's frame the problem here business email compromise I'll just get all of these on the uh screen now won't I there we go business email compromise imagine that you are a small business owner and you are you need to uh uh pay somebody's invoice or maybe somebody's paying you for services and a threat actor injects thems into your email conversation about where in an invoice needs to get routed right and so they will hide the emails away and then they will wait for like some kind of financial transaction to go on this is the one we see most common there's also

like a Spam element but um this is the one we see most common and that money gets rerouted to some kind of offshore platform and uh does anybody know what it's like to try to reverse a wire transfer you can't do it more or less you can't do it but here's the thing in the identity space business email compromise attacks that's like the ransomware of the identity space right but they don't just happen and ransomware doesn't just happen right a thread actor doesn't snap their fingers and say ransomware business email compromise doesn't work like that it's almost like that but it doesn't really work like that so what we need to do is any place along the attack chain that

there's a good time to Forstall a business email compromise attack we need to crack down on that right and the biggest place the biggest attack surfice here is in initial access or account takeover right there's the definition from the Microsoft uh fraud team right there but effectively this is initial access in the cloud space we can broadly classify as account takeover so we are in my in my nice little unscientific graph of the attack chain we are right there at the initial access point and to lay out the kind of topography or the topology rather of kind of where we are like in a in a concept sense because the the identity space can be kind of confusing people I

think generally understand like the end points and what goes on because you have the computer right in front of you but the identity space for some reason kind of I mean it took me a while to wrap my head around it because I was so used to the the Point space as well um so where we are today for this talk is right here entra ID is the authentication core the backbone in an authentication sense for all of Microsoft's cloud services and we in the small to medium business and by extension what the work that I do at Huntress uh we are in the the productivity Suite of that cloud infrastructure they're all applications the small business owner may be familiar

with PowerPoint Excel Yammer if they're a psychopath um but they may not understand that everything that they're doing ties back into this core architecture of enter ID and the authentication that that provides so that's where we are and every now and then we are also here as well we are in the on premise area because Microsoft saw fit to allow uh businesses to hook their Cloud resources into their on premise resources as well through a whole bunch of means and that there's there's an entire presentation worth of uh uh assumptions and things we could get into about that but just from a a high level we are in the in the Microsoft cloud space working in the

productivity applications of the Microsoft cloud space key Telemetry sources if we want to hunt this down at scale where do we need to look for this activity you need to be very familiar as a Defender with where to look for these account takeovers I have like three that I would give you and I always missed the third one so John Hammond if I miss the third one please just like yell at me or something or throw a water bottle at me or something first is the entra ID logs right so you can go to the entra ID portal and look at the sign-in logs there are the service principal sign-in logs that's like your application signin

logs there are the interactive sign-ins the non-interactive sign-ins and the managed identity sign-ins most of your account takeover business email compromise stuff lives in the like interactive user sign-ins because a thread actor will get access to an inbox and then they'll masquerade as that user and then run their their uh Playbook like that um now the the the enter ID sign in logs give us a a wealth of information they can tell us if MFA was used to log in for this particular identity it gives us IP addresses it gives us um all manner of other things uh the user agent very important I'm very jealous of my endpoint researchers because they get tons of very

interesting Telemetry to work with opposite world over here the the Telemetry of the identity space is scant it's not that there's really not that much of it we need to go we we need to make a little go long way in the defensive uh realm for the identity space um so something like the user agent which is very well like you know fudge by a threat actor can actually mean the difference between detection and not detection right um see the resource that they access there just looking at the other ones but yeah yeah there's not a lot here so we got to make this kind of work second place to look is the unified audit log

and this is over on the M365 side of the house the per I think they call it like perview if you wait 15 minutes they're going to call it something new um so this is over you kind of have to you can like subscribe to this by calling the management API or you can go to the actual UI and like look through this and you got to punch in some some Search terms but you can get uh some pretty good information here IP addresses the user uh that's my my test bed tenant husky Works um and uh yeah just uh more more information right so so again scans Telemetry we're not off to a great start

I'm sorry I didn't forget this time John you don't have to throw something at me the third place it's kind of an identity uh T elry source is are the graph activity logs the graph API activity logs if you're not familiar with the gra C API it is the um it's a it's a a rest API that Microsoft allows you to call if you authenticate to it you can get um uh uh Json responses essentially of lots of different types of resources people's inboxes people's emails um their user account information all kinds of stuff you you you have to authenticate to that but everything after that point is is arrest API it's post it's get it's post

it's get so um okay so who who knows what this is who this is this is probably the most important diagram in this entire uh presentation right this is formerly my Nemesis this little raccoon gu is for this makes me laugh every time I watch it um no this is session token theft okay formerly my Nemesis right and this is the first attack we're getting into the attack and defense portion of this of this talk now um so what is session token theft so sessions are that that wonderful little technology that allows a user to provide their username and password and MF if applicable and then the the I the resource provider says okay you're good you don't need to keep

re-authenticating cuz that's it's a usability feature so that like Microsoft it's bad for business if you have to keep logging into M365 to like check your email so they just stash a cookie in your browser and they say you don't have to keep giving me your username and your password and your MFA just use this cookie and we're going to keep it in your browser right so there are two variants of this active and passive we're going to get into what those look like but effectively there they do the same thing just in different methods if a session represents a username a password and MFA if applicable you may have put two factors in to get that

session but the session token itself is single Factor access a session token is basically just a long ass password that you don't need a username to use right so if you find these or you steal these the thesis of exploitation becomes very simple steal the token steal the session you get to log in right um so here's a little table not all of this is super important but I'll just highlight the the really important stuff the system of tokens that Microsoft allows um or or uses for the backbone of this uh this authentication schema um well there's kinds of different tokens right and some of them are more useful to attackers some of them are less

useful to attackers but roughly speaking we're going to be in the refresh token area in this talk today but all of these every type of token that you see on the on the screen right now can be used to do damage in some kind of uh account takeover or business email com compromise scenario right um especially primary refresh token that one's the really scary one but we'll talk specifically about these two today and these two are refresh tokens so U they're not like different than an access token or a refresh token these are types of refresh tokens and these are what gets stored in the browser when you authenticate right ests off ests off persistent and most of the cyber crime

that impacts the SMB generally centers on one of these two tokens one of them is good for 24 hours one of them is good for 90 days they are stored in your browser and that means that if I somehow procure those uh then I can replay those inject them into my browser session actually you know what um oh yeah that this is interesting too uh the Pyramid of refresh tokens or sorry the Pyramid of tokens basically anything in the lower rungs you shouldn't be able to trade in for anything in the higher rungs but you should be able to trade something in at the higher rung down right so if you have a PRT you can get a

refresh token if you have an access token you shouldn't be able to get a refresh token and and you know accordingly right um there's some exceptions to this and I recommend that durkon Molina does a fantastic job of breaking down where this kind of falls apart so if you're interested in learning about how like you know malleable the system is you should uh go to that uh YouTube uh link right there and watch it but let's let's talk about instead of just like showing you tables and stuff let's see like how tokens are actually stolen in the SMB right and like I said this is the time of the presentation where I tell you how crimes

are done again very careful wording there I said earlier there were two variants of this passive session token theft and active session token theft while the end results of both of these are roughly the same thing the method differentiates the two passive session token theft is essentially dumpster diving right that's my my short hand for that dumpster diving right so if you promise not to use this information for evil I'll tell you that you would go on something like mulad VPN which is fantastic because they do not keep any logs of your activity supposedly I don't know if I trust that but you on Mad VPN right and you go to these telegram channels and if you if you don't know

where to look for these breach sense actually has like a list of them incredibly um you make a burner telegram account you go on Telegram and you find one of these uh these log dump sites what are these log dump sites well they are the logs and sometimes they're sold but sometimes they're available freely uh they're the logs of the Redline stealer right who's familiar with the redline stealer yep it's a it's a it's a blight it's an absolute blight on the on the industry right um so you go you make a burner telegram account and then you'll uh go and find one of these dumps right and these are just plain text dumps right so this is when somebody

accidentally runs some kind of malware like the red line stealer uh all of their their file system gets scraped essentially and all of that information gets posted somewhere on the dark web or one of these Shady CD telegram forums and uh just go find one right the the Bor October uh 2359 logs right here we're going to go and uh open this up and again you're dealing with you're in a dent of Thieves at this point so I'd be very careful with like where you open this up and you know you might get more than you bargain for there um but assuming that you handle it safely uh the next thing is to just plain text

search for one of these tokens right and uh this is what it looks like when you do that right and so we see our ests off persistent cookies are right there and that basically means that that big board word out spot is the text of the token that I would need to access somebody's account I don't know who this is I'm just dumpster diving I'm hoping that I'm going to get lucky in terms of finding something that will lead to some kind of financial Payday for me right and then finally this is how to actually do crimes so this isn't even how crimes are done at that point you would then inject it into your browser right so um

but I I warn don't do that that's an actual crime and that's on you but that's it right that that I could teach anybody in this room how to do that in 10 minutes like let that sink in for a second that's simple and if there's no defensive technology standing in between you if there's no conditional access policies um and Microsoft pay Gates those so you know there probably isn't a small business owner is usually not going to have business premium or above um that's it that that's a Payday for an attacker they then just wait they go into your inbox and they wait for uh some invoice to come through or they spam out uh to everybody in your in your

contacts list or something like that so that's passive session token theft that is dumpster diving if we need something a little bit more targeted that's where my good friend active session token theft comes

in it assumes some kind of interaction with the user if you're pickpocketing somebody like if if you get pickpocketed you can basically assume that somebody at some point like grabbed your wallet or something like that right so this is like fishing with a transparent proxy uh we're going to talk a little bit about ooth consent Grant attacks and device code fishing here in a moment both of those kind of fall in uh to that category even if you if you have a command and control beacon on the end point and you dump out credentials and you happen to find some access tokens that's also kind of like pickpocketing isn't it it assumes that you had access

uh but from there who knows what this is John does B does this is my good friend evil Jinx I love this guy he was my best friend when I was a red teamer I hate him now um adversary in the middle so adversary in the middle and I I want to cave out by saying evil Jinx is one way that you can do this it's actually not the most common in the small to medium business at least the Telemetry that I've seen um more common than this are the fishing as a service kits but anyway I digress I'm getting ahead of myself um you set up infrastructure that transparently proxies any kind of interaction right now what that means is

that you have to trick a user instead of going to login. onmicrosoft.com or microsoftonline.com forget which one instead of going to the actual Microsoft page you have to trick them into go into your page right you can do that any number of ways um but once you're there that trans parent proxy takes all of the packets of this transaction and just routes them right along right we I'll actually just show you how this looks right legitimate login username password MFA right because somebody has their phone right punches in the MFA code Microsoft goes looks good here's your ests off token store this in your browser and you can just log in next time without providing all of that stuff

and that's what they see right but if I'm the adversary I might have their username because that's very easy to find a little OS so you can find that I might have their their password even maybe they had some kind of breach they they left their credentials lying somewhere or maybe they they ran a binary they weren't supposed to run or maybe they're just reusing passwords and and some other service already got breached right but if I don't have that device if I don't have that MFA code I might be able to like call them or email them to try to get that MFA code but like you're on the clock at that point as the adversary right so what do you do

now that makes them mad right of course because the hardworking adversary trying to get a Payday what the hell right so um so what they do is they take this technology you can find this on GitHub it's open source and they stand it up at some. evil. site.com right and then they're going to like socially engineer the user and say hey there's something really weird going on with your account please log in here and we'll go ahead and give you more instructions right and again your pretext for this it could be anything um it could be a teams message it could be an email what what have you as long as they go to that site this is

what they're going to see but is this the real Microsoft login page no it's not it is it is but it is routed through a transparent proxy and just like every other proxy that you've ever seen in your life if traffic hits your proxy and then exits your proxy you can inspect what's going on inside of that traffic assume there's no like you know extra layer of encryption like below TLS or something like that um or above TLS anyway so what you have to do is just get them to go to your site right and they will see that login page and they'll Ferry their username and password but then Microsoft says okay hey looks good but do you have your MFA

code and evil Jinx at this point will just say oh great do you have your MFA code and the user says yeah I absolutely do here's my MFA code and evil Jinx just FES it right along adversary in the middle makes sense right um so Microsoft says looks good here's your session token but if you're sitting at the console of evil Jinx when this happens and again I'm abstracting this evil Jinx is is just a placeholder this could be any of the fishing as a service kits evil proxy naked Pages uh that's what you see and that is the token that was transacted there and once I have that token I am then uh able to authenticate

as that uh user right and hot tradecraft alert HTML smuggling plus adversary in the middle this is this goes a little deeper and if you want to read more we wrote A Blog about this um small glor's Gambit uh so this is the first time that we had seen it in the small to medium business but effectively um I found a a file that looks like this and I opened it up locally and this is what I saw and this is the Microsoft login page right but how does it how does that work it's the live login page but it's a local file if you see all the way up at the top there that is my my local file path

right it's going to see users husky whatever um but how am I seeing something that represents it looks like it's cloned maybe but when I put my uh username and password into that block it rendered the company logo that I was logging in with right for my own test bed so I knew that it was actually live this is this is an iframe it's injected into the local instance of that file right right so instead of fishing somebody with a link you fish somebody with an HTML file and you say just open this up log in and again if I'm a small business owner and I don't know anything about this I'll I'll be likely to fall

for that right um so it dynamically it it grabs the login page it reassembles it on the um uh within that local file and then it it like tees the or it it like redirects the token once the token is is uh is generated anyway that's a fun one okay so at this point in the um presentation you're probably saying all right Matt that's great I know you're a red teamer um cool you can do all these cool hacks whatever how do I defend against this and it would be um against my ethos to say uh that's your problem I'm done see you later um I don't run like that okay so detection chemistry this is like a hamfisted metaphor that I

use is that um in the identity space we have to like I said make use of The Limited Telemetry that we get right so um we don't have a lot to go on but if we kind of like look at these if we if we cluster and correlate and and strategically pick what we focus on I think we get a lot of mileage out of the Telemetry that we have uh for for the identity space right and so like I said hamfisted metaphor I think of this literally like chemistry where the sum of the chemical elements are way more than just the individual chemical elements themselves right so o metaphor um session ID device name

location IP address IP address is an interesting one because you'll get IP or in comparison to IP and location those are interesting because you'll get an IP and a location is implied by that IP but it's never super accurate right so you've got to be careful with that one um user agent device properties device ID and the session ID one is actually super interesting right now we have our chemical elements but like if you want to really throw some like fuel on the fire you add the reagents what are the reagents in this uh metaphor enrichments right an IP address like I just said implies a a a geography like a like a country level location or a state level

location or something like that it may not be accurate though because what if I just use like a a tour exit node that happens to be in the United States right if you don't know that that's a tour exit node then that's going to look like it's coming from the United States so when you try to um identify anomalies for your users hackers know that like if they're targeting somebody in the US they should probably find some kind of VPN exit node M VPN remember uh tour that exits in the United States they know that right so what you have to do and you can go there are like um there are paid services that

do this but you can find this like open source right is just like enrich your IP uh Telemetry with locations vpns tour exit nodes proxy exit nodes data center infrastructure um should your user be logging in interactively from from a digital ocean droplet I don't know that's a question you have to ask yourself but if you don't have that data in the first place you won't be able to make that determination right so let's talk through like the actual strategy of how we would use this right because we have the chemical elements how do we actually do the chemistry right so let's say in the in the case our assumption here is the case of session token theft right um log in

from a new location how many of you would say that a login from a new country for your user would be enough to call them up lock their session revoke their token right nobody in this room exactly login from new location absolutely not the SMB moves around too much to use that as an accurate detector right now there may be cases where you know for 100% that your uh workers should never be leaving the Cayman Islands or your workers should never be leaving the United States and that might work for you but it doesn't work for me I've got 1.2 million identities they move around all the time right I see about 12,000 new locations every single day so just

just alerting on that itself not going to work right um so yeah but if I told Max Rogers the director of the Hun security operations center that he'd have to look through 12,000 logins to find evil he'd probably challenge me to do a pistol duel so what do we do we in we include more of these Telemetry points we include more of these data um points right what if we take that login from the new location and we group it we pin the session ID and look at all the events in that session and say these came from X and this one came from y we're getting better but again if you just hop on a plane you could be in in

you know from the United States to Canada or over to Great Britain or down to the Cayman Islands in a couple hours right so we're we're not quite there yet right but again like I said if you cluster more of these data points you get a higher hit rate what about you group the session ID you look at the location changes and then you find meaningful differences between the IP addresses uh the the user agent the browser the uh operating system something in that event changed and that now we're getting there right because that means that any two authentications in the same session if one of them comes from France and one of them comes from

Great Britain and one of them comes from um Mac OS and one of them comes from Windows 10 and one of them comes from Firefox and one of them comes from chrome is there anybody in this room that can give me like a good explanation for why that would be a legitimate session I still haven't heard anybody come up with a good explanation of that right and that's exactly what what I did again that you could do this with python you could grab all of your logs and just start to Cluster them by your so like Jupiter notebooks or just raw python like I'm doing here but like cluster them by the session ID and then start to

look for these meaningful differences right which are highlighted in green one of them in this case is this is the same session one comes from mysterium VPN one comes from expressvpn right two different VPN exit nodes used in the same uh session somebody might be using mad VPN or expressvpn or Nord if they have like a YouTube sponsorship or something but like there's no real reason why two VP ends should be used in the same session right probably um Mac but the real kicker is that one came from Windows and one came from Mac OS like de deadites dead giveaway um so that just summarizes that moving on what about identities without MFA so all of

that was like talking about detection of like session token theft right so so for the people who are good and use MFA um that was the effective attack against that but what about without MFA we're really in The Hurt Locker if you don't use MFA um and most of the small to medium businesses don't I can I can tell you that uh credential theft credential theft is your effective attack against that um the raccoons man every time um so MFA adoption rates in the SMB are not as high as we' want uh so that means that if you just have a username and password you get to just log in if you're a threat actor it's it's it's a

sad State of Affairs um so we we take a couple assumptions here right in the unified audit log the user loged in event is the event that we're actually looking for here the request type in the extended properties is login colon log and that it means that there was an interactive login that did not use MFA in that case right now that could be totally fine because somebody is you know using um their work device but they went on vacation or something like that um but what if it also does not come from an InTune compliant and manag device right so it don't Focus so much on the specifics of the of the methodology here but like this is like

you start with the funnel at the top and then you start to like pair down the detection CR criteria to get very focused in on like what is likely in your organization to be activity that could not possibly be explained by benign use right and so that's like one of these things is that if you know that all of your devices are MDM compliant and managed via InTune Microsoft actually gives you a data field that says this came from a compliant and managed device so if you discard those and just look at the ones that don't unfortunately that's not a super strong hypothesis because uh especially in the SMB a lot of people just use their

personal it's Shadow it it's a whole thing um so and that's why I say like a rogue device is kind of its own threat model but like you you can make this work like if it's coming from an OS that you've never seen before if it's coming from a browser that you haven't seen for this user um that's a that's a a decent way to attack that problem but this one I would say of the two of session token theft and credential theft credential theft is the harder one to get uh true positives on what I found o consent CR attacks shout out to B um very quickly we're going speed through this a little bit I've got about

uh 18 minutes left that's actually not bad um who has used like applications who's seen this on the on the right side of the screen here uh ignore the the application name itself because that's not super important but if you've seen this on the right side of the screen this is the the customer facing the the the like Microsoft customer facing um experience when you install an ooth application in your Microsoft 365 tenant right so applications do all manner of things and this is like how they hook into entra and it's a it's a more complicated thing than I think I want to get into in this talk but I gave another talk about this a couple weeks ago um

this is basically how like you would install like an integration into your um your calendar to like sync up your calendar uh to some to your team maybe or um something to back up your emails or something like that um now the interesting thing is that you as an attacker that presents an attack surface with this right so you as an attacker can either uh create a malicious application and try to get somebody to install it uh or if you've already accessed the tenant you can install a malicious application yourself and use that for persistence so there's there's good attack Primitives for initial access and persistence with these two right um so what we're not going to

worry about like the technicals of this but this is usually what that ends up looking like is that you've got your user who gets an email from I and it says Hey install our new application just click on this link in with your username your MFA if applicable click accept don't ask too many questions right so um so this is what the user says maybe they've they've gotten security awareness training and they say um well you know I've been taught to look for like sus do Baka do whatever. evil but like this is coming from login. microsoftonline.com right so it's probably fine but what they don't realize is that this is hijacking the legitimate ooth application um uh

authentication flow the flow for offz and offn um authorization and authentication respectively this is what what's going on here and they may not realize it but there are a couple of dead giveaways here in that there's a redirect URI that goes to some IP address and there's a set of Scopes in ooth um You Will consent to the permissions for your given if it's like a delegated app you can say yeah you can access my calendar um you can access my emails you can do all that kind of stuff um so that also is is part of this as well and then this is what they'll see and they'll just say oh yeah sure totally accept and they may even consent

on behalf of their entire organization if they can do that um by default in entra every user can install any application every user can consent to the permissions that are effective for their own assets right and you can change that in entra and I recommend that you do if you're a red team operator like I was on this engagement this is what you see when somebody does that that access token that's generated by the legitimate ooff authentication flow goes to your particular URL and congratulations you are now in possession of an access token and as an attacker you can then trade that in for some other kind of access or continue your uh engagement you also get

a refresh token down there too which is like even better right um that's a little closer just to see uh for detection detection criteria for this um nothing is better than if you have the actual link for this one in a forensic sense right um because to recreate this from the Telemetry has proven to be very difficult but if you can reach into um the uh browser history of the particular victim or or suspected victim you will be able to see that URL in its entirety and that's like that's gold right there because you can see immediately that there's some kind of um Client app IP there's a URL associated with that and then the permissions that they have

requested and finally um for attack and defense section device code fishing who in the room has used besides you two I know you two have who in the room has used the the Microsoft device code authentication flow in a legitimate way that's that's cool that's very cool um notice how 99% of the room did not raise their hand right this is a very Niche piece of functionality that serves a very small uh subsection of the uh the the types of users in M365 that has a disproportionately massive attack surface associated with it and what this does is that if you have something you have a device that has like a a they call it like a an input restricted kind

of device I think that's the term um but effectively think like a printer or a t a smart TV or like some something that doesn't have a terminal and you need to authenticate that and you can authenticate that stuff into your M365 tant for for some reason and you want to do that you can request a token at something that does have a terminal and a and a um a keyboard right like your browser uh and then you can punch in a code on that device and then you can authenticate that device device from somewhere else right and like any good sufficiently complicated system of authentication that leaves us with a beautiful attack primitive um to request

that code ourselves as the attacker and then socially engineer somebody to punch it in on their end as the victim and you can do any number of things like you can send them uh something from uh you know Microsoft that says hey go to microsoft.com device login please punch in this code and again if I've been trained via security awareness training to look for sussy baka . evil. site I'm going to say that looks totally fine microsoft.com device login that looks totally okay um so then the victim will bite they'll go to the device code login portal the legitimate one they'll punch in their username their MFA if applicable um and then if you on the

other end as the attacker then just request the endpoint that you'll retrieve the token from you can keep doing this these codes are active for 15 minutes so you're kind of on the clock but if you successfully fish somebody you just keep requesting this endpoint hey have they authenticated yet nope hey have they authenticated yet nope hey have they authenticated yet yes and you get yourself an access token detection for uh device code fishing there's one particular um one particular field in here that I think it deserves special attention which is the original transfer method is device code flow uh and that's going to be in the entra ID sign in logs if I could have

one field to hunt that down that's what it would be and also the requested um excuse me the login request type the extended property request type is cmsi cmsi cmsi colon cmsi right and that that is uh device code authentication was used that's the device code flow so again it this is like it's it's just more of the same it's like co-opting the legitimate authentication process to inject yourself as the attacker into somebody's accesses right um and this is just one of those so I said uh oh additional detail here this will also satisfy MFA so again this is a good MFA bypass if you can trick somebody into doing it and there's your device code flow original transfer

method right there so that's it and um I guess if I could sum it up I would say it's not all bad news because like any good system of Defense account takeover is just one stop along the attack chain right and account takeover happens to be one the maybe the biggest one but there are other things that Telegraph thread actor activity in your environments right um maybe they uh added a rogue MFA device maybe they uh installed a back door into a service principle with a password right um maybe they create some inbox rules to actually stage that business email compromise right but the good thing about business email compromise if there is one if there's an upside is

that unlike ransomware if you walk into work and you open your laptop and you see the ransomware background you're you're cooked right like that's it but business email compromise actually is like setting a trap right so there is a lag time between when those inbox rules are set up and when somebody would have to reroute a financial transaction and so there's still time essentially even if you fall victim to account takeover even if you get uh these inbox rules staged until somebody actually completes one of those transactions there's still time to intervene there's still time to save and we're lucky in the identity space that that's the case um because over on the endpoint side of the house

like again when you see Ransom where you're cooked so um line up those layers of Swiss cheese and uh that's all I got for you today um so my name is Matt Kylie and uh I'd be happy to take uh questions at this time thank you Matt we've got a couple minutes anyone have any questions for Matt it's been very informative I I guess this is a really quick thing I think you mentioned earlier that you work currently on the blue team side of things for detection and I imagine you work with all sorts of organizations with different use cas and different tooling y um you did mention the use of coding with logs that are already existing

within those Office 365 365 applications but I'm wondering if you're familiar with whether for example Microsoft Sentinel has these built-in use cases already for these sorts of detections yeah um so Microsoft is famously opaque about their defensive implementation right and so while we could get things like the risky user signin logs um or uh like Microsoft Defender for endpoint sends uh alerts a lot of the time they will tell us sometimes that something has gone wrong but they don't really say what in a lot of cases so you may have an IP and you can kind of infer that you know it was a login from X country and that constitutes a risky sign in

unfortunately Microsoft is very opaque about why you know they've got probably algorithms and machine learning and AI that that completely eclipse is my understanding they've probably got a lot of stuff behind the scene going on to to make these determinations but um I guess they they have a vested interest in making sure that the information gets to the customer but isn't overwhelming so they'll tell you risky sign in or this user is is risky uh but they don't usually say why um so so they're doing things to protect you but it's probably better to have your own redundant for form of detection as well um I I'll put it to you this way I mean in the SMB

Microsoft has come out a couple times at this point and said we've made it harder for token theft to succeed we've made it uh easier to implement MFA we've made it better we've made it this we made it that I still see these attacks every single day um so it it I'm not saying they're not doing their job um but the attacks are still succeeding and and even if those if session token theft one day is declared dead because of device bound encryption or something like that which it probably won't but um it it's it's just more of the same it has to be implemented everywhere right and it usually isn't um it it has to be uh easy

to use or else users are going to say I don't want to use that right I don't want to use fishing resistant MFA I don't want to use a little device code token like um and even if those two things if we assume that both of those were the case that everybody's using it unilaterally and everybody it it's easy to use thread actors are going to find some other way durkon that blog post um shows a method of fishing fishing resistant MFA if that if that's any indication right so cat Mouse as always um but uh Microsoft is is actively making it harder for these attacks to succeed but they're still succeeding every single day thanks that's really

INF fightful appreciate it of course

thanks for a great presentation um I know that uh it used to be the case that um Microsoft E5 was the only level that would provide the level of logging that would be useful uh for a serious business or larger business um the level of logging that you've been showing here in your examples I'm thinking for the uh friends and family small business owners what is the bare minimum that you could possibly uh recommend to friends or family who don't want to pay the E5 fee yep so um so everything that you saw in here is available at the business standard level and the reason is because my test bed is at the business standard

level because I can't assume and this goes kind of into the huness product side of the house and I know that's not what people came here for but like I can't assume that everybody at Huntress is going to have above that like LIC level I have to assume that that's the the level I have to build for so my all of the Telemetry that you saw there today was at the business standard level just a bare minimum you're paying for a license but you're not paying for anything above that level and I don't know if I have recommendations because it's like foundationally against my ethos to be like oh it's great to pay for security features that you should be

getting for free right um so like it's yeah so I I guess that's that's how I would summarize it is like um I would I would ask of Microsoft to make like we saw last year um after the um the breach which the thread actor's name escapes me right now but they made graph uh access logs available to everybody right so like but should it take breaches like that to really make like push that down I'm pretty sure Microsoft is doing fine probably um they could probably they could make all of this Telemetry available all of the premium Telemetry available to everybody instantly if they wanted to um so yeah that's what I would ask of Microsoft and I don't think I

have a recommendation because just personally I don't believe that you should have to pay like an like a premium license fee to get things that could prevent of yogurt shop from getting ransomed right so I don't know if that does that answer your question I think so yeah was really

just y business business standard and a little bit of elbow grease with um pulling your logs and correlating with python I mean that'll that'll get you there right I didn't show anything in here that you can't do by grabbing those logs and correlating them manually or putting them into your own Sim or or some kind of data store so you would still want them to have some kind of protection right okay I think we've got another speaker if that's the last question thanks everyone I think we've got a couple minutes before the next thank you so much