Y'all Tryna enumerate Azure AD and RBAC or Nah?

[Music] all right so let's get this started how y'all doing um my name is lauren and this talk is uh in the schedule it's called y'all trying to understand azure 80 and are back and not but um i decided to change it um simply because uh i think this title is more appropriate and also because i'm giving this talk and another conference at another point in time and uh i thought you might as well just be consistent so this talk is called y'all trying to numerate azure ad in arm or nah and we're going to talk about azure id we'll talk about arm which is as azure resource manager and how the how the the two services relate so who

am i so my name is lauren as i mentioned before i am on the azure red team at microsoft notice some of the other red teamers had a presentation earlier from a different red team at microsoft and uh you know had to represent you know um i go by daddy coco man so if you see me in the chat or if you see my handle on a slack somewhere uh feel free to you know say hi or whatever i have a website you can check out my github i'm also a nerd core rapper by the name of omai you can check out my website uh the ssl certificate expired but you know who renews those nobody i know um

and i was actually on the the defcon tape this year so if you happen to have the defcon tape uh you can check that out check out one of my songs cool you always gotta promote my music check my soundcloud check my bandcamp you know i was in the navy for 10 years i got out about two years ago and i became a web app pen tester and now here i am at microsoft on the azure red team and i love python and pythonic things so um you'll constantly see me talk about python on twitter or um if you have any questions about like you know how to get started or the things you can do or challenges

you can do uh hit me up and uh i'll hook you up with some stuff so today we're going to talk about azure active directory active resource manager um tools for interacting with both of those and i'll give a demonstration at the end of a tool that was written called storm spotter which allows you to visualize azure ad and azure resource manager and sort of find um misconfigurations let's talk about aed so azure active azure active identity excuse me azure active directory or aed is a cloud-based identity and access management service so you have all of these objects that are listed on the left or you have users groups external identities all these objects are uh within azure

active directory so basically it's like active directory but in azure wow who to thunk it right it's a pretty clear-cut name um but it definitely has parallels to what you would find for um active directory on a windows domain but because it's in the cloud things are managed slightly differently and you have a lot more options for the things you can do with these identities so let's talk about these objects we have users which is your standard user right uh someone who will log in we have groups which is a collection of objects so it can be users it could be groups service principles etc just other objects that are in um azure active or 80

of applications and applications are used to create service principal objects we'll talk more about this later god this is pretty important we have service principles and a service principle is a local representation of an application instance uh within a tenant and this will all be explained more as we go along but then we also have devices which are managed devices that you can add to azure active directory and we have roles so a role is a set of permissions that is given to an aad object so it can be something like a global company administrator a user account administrator directory members these are all the names of roles that you can apply to an active

directory object basic aed object let's talk about users they are a normal user they can be internal or external the way you can tell is because the internal will have the alias at the tenant and dot on microsoft.com an external will have an alias followed by an underscore then the name of their home tenant followed by octothorpe i'm using the fancy word octothorpe ext octothorpe tenet.on so for example you can have laurent.gray at stormspotter.onmicrosoft.com or you can have laurent.gray underscore microsoft.com optothorpe ext octothorpe at stormspotter.onmicrosoft.com i've never said that word so many times in my life and it just feels like really refreshing to use a new word so if you look at the what a user looks

like in um aed this is a if you look in the portal here we have kelly santana at stormspotter.onmicrosoft.com and each object in azure active directory is given an object id that's how it's referenced so anytime you see an object id it's used to um as a way for for azure active directory to know about that object and to provide relationships to other roles or permissions or other objects that are in active azure active directory then we have groups which is pretty self-explanatory a group is a group of objects so you can have users groups devices you can have service principles and it's just uh just a logical collection of groups this is the same that you

would have in a a normal active directory environment where you have a group for membership this applies uh the very same way so we have direct members of a group which are those who are explicitly assigned to a group so in this instance i forgot to put the actual name of the the group here it's the actual group is called sales and under sales we have uh caroline catherine jason we have a group another group called sales cashiers so we have a nested group here we have kelly and kyle and if we look at all the members right we can see that it actually unrolls the other groups that are inside of this group and

lists all the members of that group so johnny anderson kristen howell and dave frank are all actually members of the sales cashiers group but since we're looking at all the members of the sales group they're going to show up here too this is really important because sometimes and a really common misconfiguration is that you have groups that are part of other groups who accidentally inherit permissions that they're not supposed to have so um this is actually a a fairly common thing that you can mess up into uh in azure active directory the same way you could probably mess it up in active directory so groups can also have owners right so you can have an owner of

an object but the owner doesn't have to be a member of that group so in this case we have this group called sales and we have all these users and the sales cashiers group but the owner is not only kelly but also a service principal called sales aed spn why is that there i don't know that's probably a misconfiguration um there's no reason but well there's there's not really a reason that it's not a common reason to have a service principle in charge uh have ownership over a group but um that's definitely something you can look into if you were to see that i'd question it myself so what applications so an application is a template

used to create a service principle for authentication so basically an application is like you make a a website right um i don't know [Music] stormspotter.azurewebsites.net and you create this application inside of azure and then you give it an ad application and you say this application is responsible for authorizing you to access stormspotter.azurewebsites.net so you can set up a you know a website or whatever and have the ad authentication automatically done through the use of this aav application object so applications can be single tenant or multi-tenant um what this means is that you can have an application that's made specifically for your own company your own organization or you can have an application that's meant for

anyone and when you um when you create a multi-tenant app that really means multi-tenant that means that any organization has access to that application there's been a recent history over the last couple years of of attackers making malicious applications multi-center applications which then create a service principal and the target tenant and then all of a sudden they have some sort of permission and a tenant that they're not supposed to have because maybe the administrators forgot to turn off the ability for users to add applications to the tenant so um it's it's something that you definitely want to be careful of uh when you're talking about applications because a application with too many permissions that is not yours

um or even if it is yours can be pretty troublesome so here's what an application looks like uh in the portal it has an application id and it has an object id so remember the object id is what azure active directory uses to reference it but the application id is the application that is unique to this there is the id that's unique to this application because again we can have multiple you can have a multi-tenant application with different service principles right in different tenants but they're all going to point to this one application id so we talk about service principles right it's an instance of an 80 application that's somewhere out there right whether it's

in your channel or somebody else's um the credentials that you you can add credentials to service principle and you can use it to log in as that particular identity uh it's usually usually think of it like a service account right you don't want you don't need a user to log in to do this action or maybe you have some sort of automation setup you use a service principle to do that you can add a password to it or you can add a certificate to it for authentication and if you create a service principle directly it will also create an application behind it automatically so even if you don't create the application yourself um creating a service principle directly

will create that application because it needs to be tied to some application some sort of application id so here's what i mentioned before we have the application uh and it has that application id on the left side and on the right side we have the service principle that represents that application inside of this tenant and the application id for the two are the same but the object id for the two are different because they're two different objects as far as azure active directory is concerned let's talk about devices devices are uh can be joined or registered you typically find joined devices for corporate resources right so you have like a desktop or some some managed device by your organization

and you would join that that to aad or you can have a registered device um and those registered ones are usually bring your own device so they're like a mobile device that maybe a uh an employee has a phone and they've allowed you to manage or they've allowed you they've enrolled it so that they can access corporate resources and they're not really joined because it's their own personal device but they are registered so here's an example um the first one uh in this list is an azure 80 joined windows post and the other ones all registered right they're not managed by uh by the by the active directory but it allows me to access some of the

resources because i am i'm known to the i'm known to azure active directory let's talk about roles so roles define permissions for other aad objects uh they have a built-in they have there are built-in roles you can make your own but they have a predefined set of permissions so you can make your own but um you should definitely check your permissions that you add to them there's a lot of very granular aed roles already if you need to make one feel free to go ahead but you want to make sure that your roles aren't too permissive and you should probably check to see if it's already covered by a built-in role just so you don't make

no mess of something up it's like rolling your own crypto right there's already crypto there right don't try to roll your own if it you know if it exists already uh here's what it would look like in portal so if you look at the list of aed roles you'll have all these lists and they're all they all end with administrator for the most part um or with exceptional things like global reader but most of these roles are administrative roles because they have some sort of power over another aed object the one that i have highlighted here is global administrator which can manage all aspects of azure id and microsoft services that is that is the top

administ almost the top administrator you can actually elevate from that into another role but um global administrators are the accounts that you definitely 100 percent want to protect through mfa and perhaps a separate account from the different user account the same way that you would treat a domain a domain administrator so you don't use your regular account to do domain administrative work i hope uh you have a separate account that you would log into in order to do that level of activity some of the other ones that are highlighted here are i mean all these administrative roles are are interesting but some of the other ones highlighted ones are for example the help desk administrator

which can reset passwords for non-administrators and help desk administrators which basically gives you the ability to reset any user's password and then you know log in as them assuming like there's no mfa involved or anything like that so um you should definitely look through these roles see if uh if if there's something that you may want to use and apply to a particular set of objects before you try to create your own uh groups or your own roles excuse me um here's what it looks like um if you look at the summary you'll if you're looking portal you'll get a summary of the roll will give you the description but more importantly these uh roles have are a set of permissions so

each permission has a namespace an object in the namespace and sometimes some properties and an action that you can do on that object uh you can look at the the site there um and you can just go bing i'm gonna say bings we talk about microsoft today right if you decide to bing directory assignment admin roles you can check that out um so the role permissions are some look like this right they have microsoft directory which is the name space then you have these users objects and as a help desk administrator i can invalidate all their refresh tokens that would be the first one in that list right and all these permissions are are laid out so you know exactly what

each role is able to do let's talk about azure resource manager oh one thing i didn't cover um and i realized this morning that i didn't put it in the slides that really have time we're managed identities um so a managed identity is an identity that you can give to a resource in azure like a virtual machine or something like that you can give that a managed identity so that you can access other resources those managed identities will show up in azure active directory so you can treat it just like an actual identity for that for that resource but anyway so let's move on to uh azure resource manager so it is the deployment and management

service for azure resources sources it used to be called asm um azure service manager way back when i don't know how long back when before i join microsoft at least um and it's now known as classic so if you see something like classic administrator or classic storage or classic resource they're talking about services that were provisioned under azure service manager the azure resource manager is essentially a set of apis that are used to talk to all of the resource providers within azure so you can access it through portal through powershell through the cli address cli or through just simply just a rest client right you can talk to it directly or with curl or you

know whatever um api talking tool you like to use and um you can access you can talk to the uh the resource providers that are in azure so here's some terminology you need to know there's a the tenant which is the representation of an organization so when you log in um so for example uh uh microsoft.com or microsoft would be a tenant right um and but microsoft may it as an organization may have other sub organizations so you can have an organization for microsoft part one a different tenant for microsoft part two microsoft part three and uh you just know that a tenant represents an organization as it's um defined by however your organization wants to define

its organizations uh there's no set way but usually you have the top level uh tenant and then you may have other tenants that are alongside that are provisioned by an organization uh you have uh subscriptions which is a logical collection of resource groups and they're usually separated for billing purposes so you can have a subscription maybe for uh your sales department one for your it department that's how you should do it um particularly when you talk about like billing so you know who's using what resources and if there's different funding levels right you can manage it that way if you have a resource group which is just a collection of resources you have a resource a resource is any

manageable item in azure includes virtual machines web apps storage key vaults anything you can manage which means that subscriptions and resource groups are also considered resources because you can manage those directly because they come from a what's called a resource provider so a resource provider is a service that provides a type of resource wow right so um for a storage account you would have microsoft dot storage for the resource provider for subscription you would have microsoft subscription um you have microsoft.compute for like virtual machines and other uh compute um resources that you can um provision within the portal and then finally we have this concept of role based access controls and role-based access controls are a set

of permissions that a user may take on a resource the resource is defined in scope and also these are not the same as aed roles so keep in mind that aad and arm are are separate they're they're not dates they can you know correlate information but but their their identities and services are are separate right ad manages your identities while r manages your resources so here's a list of resource providers um i talked about this in the last slide really um and if you look at them there's there's one resource provider for almost every for literally every resource that you can have in azure sometimes you may see these service principles pop up um under your um in your aad

and it's because when you provision a resource right azure needs to know azure needs to provide the service principle for that application so that it can provision those resources within your organization so before we talk about how applications have a service principle uh no represent uh service principle for representation in a local tenant that's what that is so you'll see these um around depending on what type of resources you have in your environment let's talk about the control plane versus the data plane is also very important um operations in an arm are divided into two categories one is control or management as you may hear it called and the other is the data plane so the

control plane is for managing the resource within azure research manager or arm requests for these con for the control plane are sent to the resource provider right so microsoft.storage if i want to add a new storage account for example but the data point is is for managing the operations of the resource so if i can if i have something like a virtual machine i can create and delete a virtual machine on the control plane or the management plane but i have to rdp on the data plane if i can create a storage account on the control plane but if i want to read and write data to the storage account i need to have permissions on the data

plan right it's a very important concept for understanding role-based access control because these are two different sets of permissions that can affect what is essentially the same resource and then um the instance of that resource

so the road based access control is the authorization system that was built on top of arm that allows you to access or at least control or manage your access to resources and our back role is based on three parts you have the security principle which is an aed object so a user group a service principle manage identity etc you have a role definition which is the collection of permissions and then we have the scope that it applies to so you have again you have the the the object that you are giving uh the permissions to you have the permissions that you are giving to that object and then you have what scope that those permissions are going to be valid for

so here are some general arbac rules you'll see you hear about your contributor owner and reader are three very common roles and pretty generic roles um contribute owner being as far as their resource goes uh one of the the most powerful uh not the most powerful but pretty high up there um on managing that resource because it gives you access to manage all of it and then you have contributor which is a next level down because it grants you access to manage the resources but it doesn't allow you to add additional rbac roles and then you have reader right um reader just allows you to view the resources but you can't make any changes at all

right and then you also have the specific are back roles so in this list right here we have the ability to uh you have contributor on an smb share which is in storage and it's very specific right this role gives you the ability only the ability to uh read write and delete access on files and directories and add your file shares like that's very specific and so when you start giving out your permissions in azure 80 you want to make sure that you're trying to give that least privileged concept right you don't need to give someone a contributor over the entire resource group or the entire resource itself you can give a very specific part of that

resource you can give access to a very specific part of that resource if you wanted to so role definitions affect both management and data planes and the way it's organized is that here is a role called the state of blob storage blob data reader right you have these management actions and you have these not actions so on the management plane right i can read the containers that are in a storage account um i can also uh generate keys um but focusing right now on the uh this being able to read the container and then you have on the data plane the ability to read the blobs within the uh the container so these are very two

different permissions you can have access to the the storage account itself but if you don't have permissions to read the blobs then you won't be able to read the blobs um again the management access is not adhering to that data for that specific reason i just mentioned i'm actually getting ahead of myself so yeah the the the permissions to read the container in a storage account does not give you permissions to read the blobs um the way not actions work is that it's it it you get a list of actions that you can do and sometimes these actions will be have like an asterisk for example so um maybe instead of microsoft dot storage storage accounts i have microsoft

storage slash asterisk and what that means is that all the resources under microsoft that storage resource provider i have uh this level of access to um what the way not actions works is that it subtracts the roles that you have in your actions and it says well if that was an asterisk maybe i don't want you to read storage accounts so you can put um a not action in that field um but also but not actions i learned just recently a couple days ago was that not actions are not uh don't have any precedence over uh the actions so if you have um an action that is that is uh covered and then you have

that not action and they both reference the same permission you will have you will have access uh to that permission simply because it's in the actions so not actions is not a uh it is not like a higher priority it's just an easier way to manage what your permissions are yeah that's a lot uh i had to read up on that a couple days ago and it was i did not know that so i learned something new someone on the actual red team right um so here the uh the actions permissions and operations um you you have these list of operations that you can do on the left so maybe get blob metadata and here are the

the permissions that are required to perform that action so if i want to snapshot a blob which means just sort of like a version history thing and i need to have the ability to write blobs or i need to have the ability to add slash action on blobs and this can get um pretty uh confusing at times because sometimes actions don't always don't clearly represent um what permissions that they have so this happened a few days ago and i decided to put this one in but someone asked me on slack they were like hey i have this uh permission for storage queue data reader i'm trying to read the messages that are in my queue

but it won't work and i thought that was pretty interesting so i looked into it and the permissions that are that that it gives you um that this role gives you is the ability to read messages right so you can peek or retrieve it says retrieve but you can pick one of the messages from a queue but the way cues work is that when you read a messages it also pops the message off the cue right just like any other cue which means that if you want to get a message you also need to have the ability to delete that message from the queue so it's two explicit permissions one for reading and one for deleting if you don't have

the delete permission then you can't actually get the message you can just look at the message and leave it there so um here are the actions for the the uh the storage queue data reader which is what this person tried to apply to the user but what they really wanted was a storage queue data message processor which gives you the read permission but it also gives you the process slash action permission which satisfies the uh requirements in order to get messages so um it's it's a matter of understanding what the permissions are that you're what action you're trying to take on the type of resource that you're trying to take uh getting a message uh getting a cue

message just sounds like you're reading it but really you also have to delete it so you need that delete permission as well i'm going to speed up here because i'm so here's an example of applying an r back roll to uh to a an object right or just applying or back excuse me uh a role assignment here's a example of a role assignment wow um so you have these 80 objects that are part of the marketing group and the marketing group is assigned contributor access to a scope which is the pharma sales resource group so the marketing group now has full access to all resources in the pharmaceutics resource group but they can't assign additional our

back roles to that group to other people let's talk about interacting with aed and arm the most common way they should do it is through the portal you log into portal.azure.com um depending on the cloud environment that you're in if you are working in the us government world it might be ported on azure that us for germany china they all have their different urls that they use to access the portal but it all essentially looks the same um microsoft tries to aim for um parity against all cloud environments so you'll find that it generally looks the same you have the azure cli um it's written in python which means that when you install azure cli you're also

installing python on your system um that's just a note for anybody who does like any sort of risk assessment or whatever because it's written in python there's actually an instance of python that gets installed with the azure cli so if you're worried about like um uh being able to know what all your users are doing because like you know you have like script block logging on powershell or something like that and you're trying to lock down a host um the address cli is actually something you may want to look at to see if it's installed because it doesn't really explicitly explain that it's installing python but uh it does and the way you would log in

with the address cli is with the azlogin command when you do this and you log in your access tokens that are used to talk to these endpoints uh they're just uh they're just jwt that uh i forgot what jwt stands for but those tokens yeah um they get saved in your azure folder under accesstokens.json um so here's an example right i can list the key vaults in um this the the subscription that i've logged into um i can show i can interact with the azure active directory by listing the user so here i'm listing kelly's antenna and i can see the properties that are attached to that user powershell there's a lot of powershell modules uh

for azure az powershell is the newest version for interacting with azure this is the one you should probably be using um if you're not you should try to get there um it can't exist with the azure rm module um and the way you log in is with connect.az account the azure rn module is the older version of the az powershell module for interacting with azure um they count the the uh the module names all have like azure rm in them the same way that the az powershell accounts have connect dash az something or whatever um it but it can't exist with the azp powershell module so you may have some older scripts that use azure rm uh you may want to upgrade

those to ac powershell then you have the azure ad module which is for interacting with azure active directory um a the current versions work with microsoft graph this is fairly recent because previously uh it did not and it also works in powershell core uh before azure ad was working with uh microsoft graph there was another one called ms online so if you see this um i i think i saw like some uh some blog posts recently this year that was using ms online and i i was like okay sure um but you can use the azure ad um one instead and it also does not work in powershell course if you're running it from like linux or something like

that or wsl you won't have any luck with that and then there's the azure powershell module which sounds like what you may want to interact with azure but it's not uh unless you have classic resources in your address tenant right it's explicitly used for that um some organizations still have those types of resources or they have those classic management certificates that they use to manage um their azure what was azure service manager so you want to use the azure powershell module for that so again there are five of them but the the two that you really want are a z powershell and azure ad if you're using um if you decide to interact with powershell

then you have the azure sdks um they come in a bunch of different languages they're broken up into management libraries and the data point libraries so you can interact with the management plan or the data plane as was described before earlier in the talk um there's been a lot of refactoring for these libraries particularly for the python libraries they've changed a lot this year they've gotten a lot better um they were kind of messy before but um everything is definitely a lot more streamlined now so but if you're updating your libraries from an older tool you should definitely test before you update um and implement a new library because a lot of things have changed particularly

around managing different identities for logging in with these sdks you can check that out at azure.github.io azure sdk and you'll see all the languages and you'll see the the client and management libraries that come for that language and then if you really want to you can use the rest apis there's a lot of those i'm not going to go into them but the documentation is there um it allows you to talk to any resource or or a graph or or whatever um you can just look through those the documentation um if you're really curious about using these things directly so let's talk about storm spotter storm swatter is a tool that uh the azure red team has presented this

year uh publicly and it is used to create an attack graph of azure ad and azure resource manager we use the term attack graph because we are a red team but realistically um you can use it to just sort of look at and audit your own uh uh the tenant based on the types of resources that you have it's backed by neo4j which means that we'll be using some cipher query language it's written in primarily in python for the back end and the front end was written in view look i know the software engineer in my title but i am trash when it comes to a lot of actual developing like professionally right so um

if you happen to look at storm spotter and you see how messy this view just running is whoops all right so it enables red teams and pen testers to visualize the attack surface and pivot opportunities within a tank and i mentioned again it can be used by defenders to audit themselves one thing to note though this is not an official microsoft project it's just a tool that we wrote as a red team uh when we released this i saw articles come out but like microsoft releases azure storm spotter and i'm kind of like there's no azure in the name i guess it's like a whole like legality thing that comes with putting azure in the name but it's just called storm

spotter all right and it's still in beta so um it works but it does not work as well as it could be there's still a long way to go for uh getting it on point so why does it exist so we want to use it to understand the configuration of the environment um understanding that should be effects not effect wow um grammar um so no actually never mind never mind um whoops so um yeah you want to understand uh the security of the environment and relationships are easy to understand when they're visualized right we have tools like bloodhound which are used for active directory um enumeration that have been proven to work right it gives everyone a better

display of how these uh how relationships work within active directory so we want to provide that sort of similar concept within azure for aad and arm so would you rather look at this text output right if i want to see the owner of a service principal right who happens to be kelly santana would you rather look at this output or would you rather look at this nice graph that says that kelly santana owns this web application our aed application and this application is represented by the sales ad spn within the environment personally i know i'd rather look at the second so i'm going to demonstrate that real quick um the requirements for using storm spotter though for aed

you must have read access to either azure ad or microsoft graph so the reason why azure id is listed here is legacy is because it's considered to be a legacy permission right azure ad is still the name of of of the uh the service but the permission itself is considered legacy because it falls under graph.windows.net and microsoft is trying to move everyone to graph.microsoft.com however for some spotter purposes we try to access azure ad graph.windows.net first because there's a little more information in there that hasn't yet been filled into ms graph but eventually um graph that would design it i think may go away i'm not sure but um they're definitely trying to move everyone into graph.microsoft.com

i think back in july they stopped they said that they're no longer going to add any new features and are really pushing people towards the new service for azure resource manager you must have reader access to at least a subscription level and that's because enumeration of the resources happens at the subscription level based on the way that ids are structured um i didn't talk about this but the way that um i'll show it to you in a bit so the way that that uh azure research manager ids for a resource is structured it's usually like subscription slash the subscription id slash resource groups slash the name of the resource group slash the type of resource provider

slash the resource and it's it's pretty wild but enumeration for these client libraries happens at the subscription level currently only azure cli and service principal logins are supported so i'm going to show you this demo

there we go all right so i've actually already logged in as uh kelly santana i can show you this by listing the account here i've already logged in as kelly santana we'll just say that i've somehow found kelly's credentials uh on a on twitter or something whoops took a picture accidentally posted a password on sticky note or something however i got the credentials uh i've logged in ask kelly and i kind of want to see what storm spotter what kelly has access to so you could use the azcla you can use powershell to do all this sort of enumeration there are some other tools that people have written this year uh to um view what azure resources that

uh people have but um we're just gonna do this with storm spotter so uh let's see directly in

so i'm going to run the collector tool as soon as i remember because i was definitely in the wrong folder um and if i look at this it's just a uh a python zip file and i can you know work through my way through the uh through the help options just as you would any other tool um i'm not really gonna explain any of this now but the most important thing that you can take from this uh what's on the screen right now is that uh you can specify whether or not you want to just scan azure or scan ad you can also specify the subs that you want to scan if you want to specify if you want to be

specific so um i'm going to run this tool i've already logged in via the cli so i can just use the cli authentication first thing that happens is i authenticate successfully i started numeration started numeration for um azure resource manager and all this is happening at the same time so there's like thousands of requests going out uh you know depending on how large your organization is um sorry enumerating azure id uh started all the queries for each type that is currently uh supported by storm spotter then i also started enumerating the subscriptions as well they found one subscription it tried to enumerate the management search which is a classic resource but um i didn't not only do i

not have management certs but i also don't have permissions ask kelly's antenna so just let you know that's this is fine if you if you see this warning that's a good thing if you don't see it this morning that is something to look into for sure um so it finishes all the querying and this is this happened to me yesterday and i didn't realize what what what caused this i had actually signed up for the azure security free tier and this is telling me that there are some resources that kelly cannot access kelly knows that that they're there but can't actually access the resource in order to enumerate it so um these warnings are fine it prints

out these things that tell you that you can't access this resource and then it prints out it zips up the output and it puts it in this file so i'm going to open this real quick this was the most recent one and it's a bunch of sqlite files so if i open up one for example for users i can actually look at the data uh in the sqlite file the way it's a way to organize is that it's just a json output um in the file because it was the easiest in the in the excuse me in the column because it's just the easiest way to handle all these different object types as opposed to putting each property into

an individual column but i really don't care so much for querying this data directly although you could right it is sql so you could query it that way i am going to start up storm spotter with docker up let's go build it real quick and this actually doesn't take very long at all uh because i've already built it so there's the front end starting up here's the back end starting up waiting for neo4j which cool so we're gonna go there

and i'm gonna visit the storm spotter page so here's the login screen the default password is of course password because why not

and i've logged in and already i have no results because i haven't uploaded anything to make this slightly bigger there we go all right so we'll upload the file that we just got from from the storm spotter collection there's no indication currently on the front end that uh it's finished but as it's going through it starts enumerating all these different node types in the uh on from the database if i wanted to see if it was finished i would look uh at the back end logs eventually i will find a way to show it on the front end whatever happening was uh i happened to have like a 10 gigabyte file one time when i was testing this

and it was just it became so unwieldy and took so long that uh uh showing it that progress on the front end was a design choice that i haven't fully decided on yet so uh finish the ingestion so we can start looking at things the first thing i want to know is who am i global administrators right so if i go over here to this queries tab there's some preset queries in here and i want to know who my global administrators are and here we get this this nice little graph we're going to ignore brag real quick or ignore myself ignore these three these are the two that i really care about um because these are are the members of in

the storm spotter tenant so we have this account called choc latte and we have this count called glow bull and global has this administrator account name so when i click on an object i can see the properties of this object on the right side there are some properties that aren't shown here and if i wanted to see that directly i can click on the raw data this is supposed to be json indented but i haven't figured out why it doesn't work yet i've been struggling on that one for days but um i i just blame it on javascript so um i can see all the properties and i can see the relationships so here i have

global and chocolate who are both members of the company administrator right that makes them targets uh in my eyes if i were someone who had stolen kelly santana's um uh identity but in order to uh see what kelly has access to we're going to look her up real quick uh where

and here's kelly's uh node or id so we can click on expanding expand outgoing which shows which relationships have or which nodes have a relation from kelly to that node and we see that kelly has a couple of of interesting things right kelly owns the sales cashier she owns the service principle the application that we talked about earlier she owns the sales group and she's a member of the sales so kelly is probably like a sales manager or something like that um she is a contributor to some to a subscription which that is probably a bug uh because that subscription is right here so i figure out why that showed up um she's a contributor for subscription

and this is probably the most interesting thing because for some reason kelly has contributed level access to the subscription so i want to see what's in this subscription i'm going to change the way the graph looks just to make it easier so in this subscription we have a bunch of different resource groups and we noticed that glow was a global was a global administrator earlier and here's a resource group called glow so i want to know what's in here what what does kelly from sales what permissions that you have on glow's resource group and although this gets a little messy so let's filter this down and expand it and change how that looks right so the glow resource group has a

key vault it has a public-facing ip that is likely attached to this virtual machine and there's a disk here as well so if i start expanding on this virtual machine uh it gets to be a lot actually but i can see that this virtual machine uh has rdp open on three three eight nine so now i have an ip address i have an ip address i have uh a virtual i have um rdp access and as a contributor i would be able to log in to this ip address i'm going to i'm running out of time but i'm going to show you how this can be used real quick so um since i have contributor level

access on that virtual machine right by a transit of by misconfiguration i can actually let's see oops sorry about that a vm user update i can i can update the administrator uh update the virtual machine with administrator my own administrator and password so i can do um i like being admin uh the name of the resource group was glow the username we'll call it temp admin actually you know what i'm gonna go up in my history real quick because i actually already had this setup somewhere and i didn't copy and paste it anyway um and then i'll give it a password uh test password one bang and what this does is um it creates a user on this virtual

machine um which i shouldn't have which kelly shouldn't have access to uh because it's not in sales or anything like that uh it's a misconfiguration so kelly has access to this first machine let's set up a username google temp admin with the password and then i can rdp into this virtual machine that glow uses and i can look around and see what is on glow's virtual machine um it's it's uh it's very important to understand what these permissions do um i'm gonna let this finish but since i'm running out of time i'm actually gonna finish up the slides real quick although i kind of just want to let you see that it succeeds and me being able to um

change the username and password you notice that i i did give you an ip address and i gave you a username and i gave you a password but you actually won't be able to log into this because i have some uh permissions set up explicitly for me so um don't do that uh so just to close this out um real quick um aed arm permissions can be pretty complex uh you should check your audit you should regularly audit your permissions to check for changes and follow the least privileged rules so you don't need access to an entire subscription or resource group just to access a resource and users who manage resources should only be given access to

the resources that they need so um yeah uh if you have any questions uh you hit me up at mcohmi it's mcomi i'm on twitter instagram whatever uh where everyone hit me up at um you can hit me up on my email which is daddycockman gmail.com or you can add me on linkedin um if you uh add me on linkedin just put in b-side seattle so that i know uh where you came from and that is my time so i will take questions in the discord because the next talker is going to come up right carrie yeah absolutely thanks lauren

you