Microsoft Azure

Architecture
Azure Account Setup
Azure CLI
Azure Functions
Azure Virtual Machines
Testing – Initial Access
Testing – MS Graph API

AzureHound (BloodHound) is a Go binary that collects data from AzureAD and AzureRM via the MS Graph and Azure REST APIs. It does not use any external dependencies and will run on any operating system.

See Microsoft Graph.

Tools: AADInternals

Architecture

Microsoft EntraID

EntraID is an enterprise identity service within Azure (IDaaS – IDentity as a Service). Formally known as Azure AD. Can be used to access external resources (Azure Portal, Office 365) and internal resources (on-premise applications).

  • Tenant: Instance of EntraID representing a single organisation.
  • EntraID Directory: each tenant has a dedicated Directory for identity and access management of resources.
  • Subscriptions: Billing scope. There can be multiple subscriptions in a Directory.
  • Core Domain: initial domain name <tenant>.onmicrosoft.com
  • Hierarchy: EntraID Tenant -> Management Groups -> Subscriptions -> Resource Groups -> Resources.

AzureRM

AzureRM (resource manager) is Microsoft’s cloud platform.

  • Azure KeyVault: key and secret management
  • Virtual machines
  • Storage
  • Azure functions

Azure Account Setup

Azure CLI

The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources.

Installation

sudo apt install azure-cli

Setup

This command will open a web browser for you to log in.

az login

If no web browser is available, use device code flow.

az login --use-device-code

Show details of a subscription

az account show

Help

az help
az functionapp -h
az functionapp list -h

List of resource groups in Azure

az group list

Azure Functions

Similar to AWS Lambda. Azure Functions has runtimes for JavaScript, Java, Python, C#, F#, and PowerShell (preview). Azure lacks Go and Ruby—otherwise, the language options are very similar.

az functionapp -h
az functionapp list

Azure uses resource groups. Permissions can apply globally but also at the resource group level. So what you may not be able to do at the global level, you might be able to do at a resource group level by specifying a –resource-group.

az group list
az functionapp list --resource-group <resource group>

Azure Virtual Machines

Manage Linux or Windows virtual machines.

az vm -h

List VMs from resource group

az vm list --resource-group <resource group>

Run a command on a VM

az vm run-command invoke -n <VM name> --resource-group <resource group> --command-id RunShellScript --scripts "ls -la"

Using PowerShell, execute a script on a virtual machine.

powershell Invoke-AzVMRunCommand -ResourceGroupName 'function_rg' -name 'vmdev' -CommandId 'RunPowerShellScript' -ScriptPath 'myscript.ps1'

Testing – Initial Access

Resource-based (AzureRM)

Exploit Cloud resources

  • Virtual machines (VMs)
  • Exploit a vulnerable Azure functions with too many permissions:
    • Publicly exposed on the internet
    • Using System Managed Identity
    • Contributor role (primitive role, too permissive) assigned to System Managed Identity over the resource group function_rg
    • Exploit the function with vulnerabilities like SSRF
    • The attacker can use the Azure function System Managed Identity access token to access the Azure environment, like execute OS commands on the VM (because of Contributor role (has SYSTEM privileges) over the resource group function_rg) => Lateral movement (Azure Function to Virtual Machine)
  • Publicly exposed cloud storage
  • App service

Exploit endpoints

Like a compromised laptop registered in Azure.

  • Pass the cookie
  • Pass the PRT (Primary Refresh Tokens)
  • Office Apps Process with access tokens
  • Azure CLI tokens access
  • User credentials (LSASS)

From On-Premise to Cloud

Joined devices

  • Getting access to joined devices
  • User credentials (LSASS)
  • Azure CLI tokens access
  • Cookie access
  • PRT token access

Identity-based (EntraID)

User enumeration / password spray

  • Valid user enumeration
  • Password spray
  • IP rotations
  • Low and slow approach

Credentials exposure

  • Service Principal secrets
  • Password leaks
  • Token/certificate exposure
  • Code repository

Illicit Consent Grant

Internal or external malicious applications. Based on OAuth. Technique still used but mostly mitigated by Microsoft (need to target administrators to ask for all permissions).

  • The attacker creates an EntraID tenant in his/her own Azure environment.
  • The attacker creates an application and registers it in the EntraID tenant.
  • The attacker configures the application by adding client secrets, specifying redirect URIs, and assigning delegated permissions to access Microsoft Graph API.
  • The attacker sends a phishing email. The URL link contains a legitimate Microsoft domain.
  • The victim clicks on the link in the phishing email and grants permissions (grants consent) to the malicious application.
  • The attacker receives a valid access token (for 60 minutes) and a refresh token (valid up to 90 days) from the victim’s session.

Supply-Chain attacks

  • Compromising 3rd-party tenant
  • Compromising 3rd-party application
  • Compromising service provider account

Device Code

See Azure Device Code Phishing.

  • Device code phishing
  • Dynamic device code phishing
  • Family of Client IDs (FOCI): use GraphSpy (GitHub). Usually a refresh token for application X cannot be used to obtain an access token to application Y. But in Azure, there is a concept called Family of Client IDs:
    • Microsoft groups certain applications into the same family, allowing them to share refresh tokens.
    • Members of the same family can use their refresh token to request tokens for other applications within that family.
    • Lateral movement between different clients/applications.
  • Primary Refresh Token (PRT) phishing: attacks paths:
    • Retrieve session key from LSASS to sign PRT cookie (JWT), requires local admin access
    • Credentials/MFA phishing (refresh token) followed by device registration to obtain the PRT
    • Device code phishing with clientID for Microsoft Authentication Broker. See Azure Device Code Phishing.

Leveraging communication apps

Credentials/MFA phishing

Bypassing MFA and CAP

  • MFASweep
  • donkeyToken
  • Compliant devices

Testing – MS Graph API

MS Graph API provide broad access to directory data, user data, email, files, O365 environments and even on-premise devices.

Permissions are often misconfigured. Use misconfigurations to move laterally, persist and escalate privileges within an organization, bypassing traditional security measures.

See examples in Azure Device Code Phishing.

See Microsoft Graph.

  • App Registration: Defines your application’s identity in your EntraID directory/tenant. It has an Application ID and can be set as single-tenant, multi-tenant, or Microsoft-based, linking to its home directory.
  • Service Principal: The identity EntraID uses for the app, also called Enterprise Application for 3rd-party apps.
  • Enterprise Application: Refers to the instance of the app within a tenant, linked to the App Registration’s Application ID but with a unique Object ID for that specific directory.

Permissions:

  • API permissions: privileges granted to an EntraID Application through a specific API (e.g. MS Graph, KeyVault, Intunes, etc.)
    • Application permissions: represents the complete level of privileges the application has. E.g. app with Mail.Read permission can access and read the mailboxes of every user in the organization.
    • Delegated permissions: refers to the permissions granted by users to applications, enabling them to access resources on behalf of the signed-in user (scopes in OAuth2). Apps will have access to resources within the context of currently logged-in user. Least-privilege between delegated permissions granted to the app (by consent) and privileges of currently logged-in user.

Dangerous permissions:

  • RoleManagement.ReadWrite.Directory: enables the application to promote any principals (users, groups, service principal) to any directory role in EntraID, including Global Administrator or Privileged Role Administrator.