Introduction To Azure Penetration Testing by Nikhil Mittal

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone please make sure that you write all the questions only in the discord channel i would be able to look at only that so let me tell you that once again just getting the invite link all right so please go and ask some questions once again only on the discord uh let me in fact disable the zoom chat so that there is no confusion so this is introduction to azure penetration testing the session starts in 20 minutes i can take questions meanwhile some questions that i could already see are so let me address those questions first now the first one is of course is there a session recording yes there is a session recording uh we will upload this as soon as we get it from zoom after the session ends another question that i got was what is the period of the lab access so we have designed it in a way that everyone can access the lab at any time so um yeah you would be able to access the lab whenever you want and there is no limit on on the period i mean uh in in my opinion usually students who at least complete the lab once and get the completion certificate i would not be interested in accessing it anymore but feel free if you want to let's say try some tools some enumeration tools or anything like that please feel free to try it again right a question is how to enumerate the legacy applications in azure ad so i believe the question is for of any if there are any legacy applications hosted in azure i believe so there are different ways you can post applications in azure you can use application proxy to expose your on-prem legacy applications to your azure users your azure ad users so i believe the question is for the applications that are hosted on azure using let's say app service so for that you can use tools like let's say microburst so all a lot of services in azure need to have a globally unique endpoint same goes for your app services so if you know the name of the tenant then you can actually go for sub draw subdomain brute forcing to check if there is any application that is accessible right so a comment is not a question but just wanted to thank you for giving us this opportunity to follow it now follow the introduction for me no worries thanks thanks a lot thanks a lot that's so nice of you to say that another question is are we going to see today uh red team in azure or penetration testing of applications in azure no not applications i mean we will abuse enterprise application a bit but as far as the web app stuff is concerned in azure that's nothing that we are going to cover today how long will we have once again how long will we have access to the lab today that's a repeat question so we have designed the labs in a way that there is no need to limit for everyone so we would have access to it forever i mean that is at least the plan currently but if let's say we we do have a limited capacity of course so if we peek through our capacity and probably in a month or so or in couple of weeks i mean i have no idea how popular this would be but if we peek through our capacity then probably we'll start removing access for those who have let's say have the completion certificate i mean i do have an idea how popular this is we have close to i believe i do not have the exact numbers but i think 5000 professionals now who have registered for this so it's pretty popular thanks so but there is no idea of limiting lab access for everyone unless we peak some limit where can i find the lab links oh there is no lab link as per i mean now see how i'm abusing the target environment and that's what it is i mean it is reachable over the internet currently i have um limited access to them i have restricted the access to it so that once i've demonstrated it then i'll open it up for all of you right now it is limited only for my ip that's my only my ips are able to access it another question is where is the meeting link so now as i was saying we planned this initially for 500 users 4 000 users showed up so we bought to 1000 and what we have right now is this webinar the current one this class i mean it is a zoom webinar so this class has a limit of one thousand but all of you would who register or who have registered or you who will register a vote register in future you will get access to the recording and of course access to the lab as well so yeah any other questions i want to keep talking so that the recording doesn't [Music] sound i mean there is no need for anyone to skip stuff there should not be a silence in between that's what my goal is a very good question mfa and azure punishment penetration testing any tactics to bypass mfa it depends a lot on how mfa is enforced on the users let's say if it is enforced on all the users by default then there would and it depends on what is the type of abuse you are looking at so some common use cases are to bypass mfa is one if you have at least a low level privilege access that for a user that does not have mfa configured for them then you can see if there is a break class or an emergency account there would always be one at least one it is recommended if there is one any such account that does not has mfa enabled that's one in some cases if conditional access policies are used to enforce mfa then you can try stuff like logging into the machine in the from an ip that is in the geographical location of the target organization of the tenant using vpns in in some cases vpns are also useful for that in some rare cases not rare cases in some cases you may also be able to avoid or bypass a conditional access policy that is enforcing mfa by playing with user agent strings finally the best one is if you can have access to the credentials of a service account that is a service account a service principle actually that is an enterprise application in azure ad if you can get access to that that is the best way a question another question is are we going to learn how to attack any virtual machines in azure no what we are going to cover are the resources that we are going to have a look at are of course azure ad i mean users and groups are because they are part of azure id then we will have a look at storage accounts uh keywords enterprise applications and dynamic groups and anything in between that is what we are going to look at so i wanted to cover actually a lot more at least not a lot more a couple of more resources but it would be harder for us to one fit all of it in a single session and second to scale it up could be an issue this is i believe is pretty uh resilient to the scale that we are where we are running it so that's what we are going to cover is the content today part of the the ca rtp certification i mean this is an introduction class so yeah yes and no i mean the introduction is some of it i've taken up from that class i mean just a few slides or you should say well just one topic because it is an introduction it applies to everything including crtp so that's the answer another question or comment is hope we can learn some types of initial access gaining in azure environment yes we do actually start with that i mean after discovery and recon we do cover one of the methods but there are so many methods uh we call one of it glad to see you too next time uh tractor about the zoom link as i was explaining we mailed it to the first 1000 registrants couldn't uh bump up the limit more than that okay and i answered a question on that was about zoom on zoom so yeah someone please point them to the announcements any chance chance to talk about jit and jea both all these i mean they are applicable to azure vms je is applicable to powershell remoting so that is something that we are not going to cover just in time access if you are talking about the microsoft defender for cloud just in time access that is also something that we are not going to talk about how long will the session last i mean i think it should be three hours but it's not a hard deadline if if i finish early then the session finishes earlier if i take more time then the the session ends later so really i do get such a freedom to decide it on my own so i'm going to abuse this one thanks for sharing that man if a user account has not been assigned to a subscription does this have an impact on the tooling oh yes unfortunately as you would see even in case of microsoft's own tools like like let's say ac powershell if you connect to a tenant using an account that has absolutely no privileges on the subscription the ac powershell tool has no graceful way of handling that and you'll simply get an error that subscription dot something cannot be known that's an error that you get so yeah it it does have an impact on not really an impact but the even microsoft's own tools are not able to gracefully under that another question is any bypassing technique for azure sentinel so sentinel i would say is it's the it's right in the middle of what microsoft has in terms of security in in azure so it can work as a scene device for a seam service for example that it consumes logs from all of your machine resources on azure off azure and so on and then can have alerts so nothing specific to sentinel of course but if you are specifying a target service and you bypass logging on that one then it is a central bypass as well i mean at least for that particular resource if you look at these sentinel as the connected scene which may have the capability to let's say see your activity across the resources then it is really hard unless you take care of op second when compromising each and accessing each and every resource including azure id any plans for the expert level azure certification yes i mean something or the other comes up otherwise i was planning it to be out in january but still i think quarter one 2022 is still when we would be able to do that another question is how is azure 80 pen testing different from the normal ed pen testing we see from courses like let's say crt and basis a lot a lot different one i can tell you that microsoft's focus in terms of security is absolutely on azure and nothing else so when your pen testing or penetration testing and azure environment there are a lot of interesting things you would probably uh one thing you could be pretty sure of if you talk about uh let's say cloud only resources you're not going to find out anything that is super outdated unless microsoft itself pushes that uh in addition to that you are also going to see a lot of services that uh that were never supposed or that should not be supposed to the uh that should not be exposed to the internet unless there is an absolute need of that so you can find some interesting services like even file shares uh you can have smb file shares using storage accounts for example however the access is pretty restrictive so it is it is a lot different a lot different i mean the basics are of course same the for example the kill chain or the attack life cycle that we are going to use is still initial access and then enumeration privilege escalation literal movement and so on but that's where the similarity ends on-prem is a is an kerberos authentication based environment this is oauth so two different points if a user within the ad environment had been assigned an azure vm can an attacker interact with the vm using ac powershell or other powershell tooling okay so the question once again i have to reread it to understand it again if a user within an on-prem environment has been assigned an azure vm as indicated by bloodhound oddly specific can an attacker interact with the vm using ac powershell or any other partition tooling so yes if i mean the answer depends on what would what are the privileges that the attacker has with vm contributor or any other privileges that allow allows the attacker to have the capability to run commands on the vm yes uh an attacker can use the runs api or commands like invoke ac vm run command from ac power shell to interact with it so yes they can all right any other question there is a question can you explain few important points points regarding exploitation on multi-tenancy in azure aiding what is multi-tenancy in azure so we need more info more information this one connection dropped i mean i don't think so i mean i can still access stuff okay let me okay i can listen all right any other question another one is how we would do pen testing for azure databases there are multiple of them which one are you talking about cosmos or sql server service in azure or a vm in azure that has sql server installed or any other so i mean if you're talking about let's say the regular databases on a vm in azure so your approach would be the same as for any other database let's say if it is a sql server on a vm in ipm check if you have any privileges to extract information if you have says admin privileges you can let's say go ahead and run commands and so on any interesting experience on red teaming in a multi-cloud environment oh yes i mean the most interesting part that i have observed is usually organizations even though that are multi climbing in my experience when i have uh tested multi-cloud environments uh organizations would have a favorite cloud probably because of their expertise or in a favorite on a favorite topic let's say there would be an organization who would run all of their applications on in google cloud in app engine then their linux vms would be running on aws their azure vms would be running on let's excuse me on azure so a lot of times i've seen that many organizations use a particular cloud is let's say sort of a primary cloud that is i have seen organizations using azure automation account to manage stuff across the cloud so there are some interesting cross cloud lateral movement in such cases uh the last question that i'm going to pick up before starting the session is does the majority of world companies use azure ad that is at least what microsoft claims that 95 percent of fortune 500 companies use azure 80 so yeah if you trust that then yes they do i mean yes they they do i never just connect they do they do a lot of organizations use actually all right so now i can start the session so okay you want to see things okay so let's start the session formally now hi everyone thanks a lot for joining me for introduction to azure penetration testing i'm your trainer for this class nikhil mitra so a few things about me you can find me on twitter as nikhil underscore mit and the founder of altered security we are a rugby platform and education company for enterprise security so you can check check us out at alteredsecurity.com i'm the creator of red team labs at pentester academy pretty popular very big labs i mean in both in case of number of students that we have there and the number of attacks that are executed daily there you can find me on github i'm samarata show on github i'm the creator of nishang deploy deception based toolkit and a few more that help both the red and blue teams in with their daily jobs so i'm interested in offensive information security methodologies to break into the into machines and systems where i have the privilege of the authority to do so that is permission to lose um my research on active directory security and azure security those these two things are not very tightly coppered as you as you may like to believe but these two things are i'm pretty interested in i've previously spoken multiple times at defcon main stage at defcon villages multiple versions of black hat i regularly train at brucon and uh some other conferences i mean uh my first talk i if i recall correctly was back in 2010 so yeah i've been doing this for more than a decade now so what are we going to cover today uh we'll see what is introduction of what is azure what is azure ad we'll see how we can discover services and applications and whatsoever from azure without having any privileges then we will see one of the various methods of initial access then comes the enumeration and authenticated enumeration that is if you have the privileges of a user if you have the credentials of a user or a service principle or any security principle in azure id what is the information that you can extract then we will see how we can escalate privileges finally the lateral movement please keep in mind that we are going to discuss only one method of each type right so make sure that i mean there are so many methods of extracting i'm not expecting predictions just from for all of these uh methods there are multiple ways of doing that just give me a second so whoops the question that i someone just messaged me let me yeah the question was and someone asked it on the discord as well now what will be the lab extension like when it expires uh so there is no lab expiry that we are going to enforce here uh as you would see the lab is we have designed it in a way that once you have done it one time then there would be no need to do it again if you want you can go ahead and do that but we do not expect i mean there is no no lab expiry unless we peek out will reach some limit so what is the philosophy of the class why am i even doing this right so what i understood from running the so we i've been teaching active directory classes for close to eight years now active directory security classes that is how to break in how to secure it etc i've been doing that for uh i think eight or nine years now so yeah it's almost 20 22 so it's nine years now and azure classes i believe for three three and a half years now so what i have observed is there is a huge demand of professionals who can secure azure right in my classes a lot of time professionals ask okay do you have anyone who you can recommend who knows azure security partially this is the case because there are a lot of point and click tools when it comes to active directory security azure has not reached there yet i mean microsoft is trying to do that but azure has not reached that yet so that's that's one of the cases second if you look at the public knowledge base let's say of active directory that is on-prem security there is a lot of free and paid training and information available there are a lot of there is an existing set of knowledge that you can simply tap into and do your stuff i mean that is so you can actually learn it for free you can learn after paying there are some interesting certifications and so on but when it comes to azure you would see that there are there is a super lack of an interesting hands-on learning material if you look at let's say any of the the training events that goes on in let's say in vegas or anywhere else you would see that there is even in even for those super super priced classes you would see there there would be only a hands-on for cloud and even smaller one dedicated to azure now one very unique thing about azure is hybrid identity that is microsoft provides way for organizations to provide a single identity for their own pro for their clients to have a single identity for on-prem infrastructure and azure infrastructure now because of that the acceptability or the usage of azure is pretty high but whenever i would let's say for if i'm taking interview let's say for my organizations one thing i that i always realized was there is a severe lack of a base knowledge level when it comes to azure security the max of that i would see is the ability to break into let's say web applications hosted on azure that's where it stops so that is why and and in addition to that i could see a lot of people i mean and that was absolutely not the main reason of this but yeah always good to uh pin down uh the the child dance all the time right so i could i when i started doing some azure classes publicly with pentester academy i saw that there were some cheap copy of those courses available on some websites so i said why not let's say put out a class that in my opinion is hands-on high quality although i leave that to you to decide and of course free so that at least the the copycats are removed from the same and everyone can at least get some quality material free of cost in addition to that as i said there are some pretty good classes that's in in vegas events on on cloud security let's say but that's simply not affordable for everyone i mean to for not affordable for almost anyone if their organization is not paying for it so in this cloud class it is our attempt as an organization from all security to help students specifically pointedly's students then of course junior security professionals or anyone else to break into azure security so i'm not going to cover everything i'm not going to make you an expert in azure security in a single three or four hour session but what i want you to understand from this one is there are a lot of interesting things in azure that you can learn with the help of this class understand that you can learn a lot from microsoft's on documentation and you would at least be able to search for stuff in a more educated way if after after looking at this class for example you would know that okay there are some initial access methods uh in azure i've seen one of it let's see what other things are there so that's that's the philosophy of the class that is why i came up with this right and nothing other than that right i've i've been burning my weekends for past one month already or for weekend classes so yeah that's why this class is now how do you use the course content so what you would have access to on on the lab portal is you have access to the session recording lab prerequisites document lab manual and then always on live lab environment so you can access the lab portal here on this url so this is what it looks like so this would be your home page you can go to the lab requisites document to check what do you need to access the lab you can either download a windows vm if you do not use windows and set it up set up some stuff on this so what do we actually need from you or the tools that you would need are the ac powershell azure id and access to a free direct to invite a guest that is all that you are going to need nothing other than that no need to have a credit card let's say or to have a high-end machine once again as i said i'm targeting specifically students for this one and more so and uh no shame in accepting that more so students from low or middle income companies are sorry countries right i'm from india and when i was a student and by god's grace i'm not i'm i was from and i am from a welcome family still as a student i saw that there was if i later on when i compared that to uh from my fellow professionals from the high income countries i saw that there is a severe lack of resources that we have at our disposal when we are trying to break into industry so please use this opportunity do not abuse this opportunity but utilize it to the maximum so this is what you are going to have access to you would have lab prerequisites here then you have this access the course coming soon because the recording is not available yet right we are right now in the middle of the session then if you go to the lab manual you have the lab manual step-by-step documentation with screenshots of how you can access and address the target environment right now this minute i've limited the access to the initial access method for my ip so that we do not hit any throttling from microsoft right now then you have some faqs and finally uh the completion certificate where you have to submit 10 flags and then you will get your course completion certificate and a badge from badger and then there is some simple entities of course right i need bread too so that's what you have in the lab total please make sure that you set up the attacker infrastructure that is either a vm or a windows machine and a tenant as per the lab prerequisites before attempting the lab and this is on discord channel this is specifically for those who would see this video somewhere else so this is our discord channel we welcome everyone who follow rules in our discord channel all right now some word of question words of question please make sure to double check that you do not end up attacking any other organization standard then the target retail corporation that is retail cop microsoft.com so please make sure uh please check what are you targeting right do not end up attacking someone else's infrastructure and you are or you want to be an information security professional not a criminal do not even if your intentions are in the right place do not test or attack infrastructure or applications beginning to an organization where you are not explicitly authorized to do so right it looks cool it sounds cool in movies and novels to be to be a criminal right i mean i don't want to say use the word cyber criminal but yeah don't do that right you can make enough fame you can make enough money you can have a very good recognition without being a criminal please keep that in mind now please no then and this is for me this class teaches you to assess security of an organization with proper authorization and condition i'm not going to i'm not encouraging you to break into the environments where you do not have the permission to do so so now let's start what is azure azure is microsoft's cloud computing platform just like aws from amazon and gcp from google and many more i mean these three are just not only these three cloud environments there are many more environments now azure has more than 200 products and cloud services and expanding right microsoft claims that 95 of fortune 500 companies use azure for cloud services so that's what azure is microsoft's cloud computing platform what are the services in azure so if you look at this diagram from microsoft's documentation there are so many services in azure right please always note that especially for beginners people when people think of azure we think of azure 80 please think that azure ed is just one of the services in the security and management or identity management category in azure there are so many services there are compute services that include vms kubernetes containers there are data services that includes your sql servers your cosmos dp etc intelligent services application platform that have your web apps app services mobile apps apis and whatnot your storage in these are all platform services in infrastructure services you have compute where you have virtual machines storage accounts different types of storages networking and so on so this is just one of them and this is what azure looks like look at it this way that there are platform services there is security and management there is hybrid cloud and then there are infrastructure services all right so what are some of the categories in compute that contains vms kubernetes containers function apps or azure functions networking that contains v-net vpn gateway load balancing cdn [Music] identity identity contains azure ad or azure active directory aad domain services storage like blob file queue table etc databases bad iot big data ai cd and devops and so on so this is what azure services are and this also means that you look at the breadth of azure i mean you would not find a lot of organizations using all of these or most of these services mostly what you would find organizations using are compute services i mean of course there are organizations that use at least one of these services that's why they are there but you would usually find organizations using compute networking of course always identity at least as your id that is for sure because that is the basis of identity management in azure you cannot access an azure environment without at least once touching azure ad storage probably web databases in some cases mobile as well so this is where many organizations would be limited to one of the services or multiple of the services in these categories once again depending on the type of industry some organization may be very involved in this one or in this one or something else so now azure when we talk about azure it is not a single cloud i mean basis basis is single the basic cloud is simple single but there are different versions depending on different markets so there is the public azure cloud the one that we are going to use that is accessible using portal.com then there is one that is specific for the us government then there is one for the chinese government and then there is one for german so these all are usually for keeping the user data in their own in their own territory that's that's the basic reason what could be anything else as well i mean that's what i know about this now there are different regions uh geographically spread let's say there would be some data center location that is regions in the us some in you know some in india some in australia in japan singapore when i say europe then there is there are in france uk germany switzerland and so on so these are clouds and regions in action now if we talk about aad azure active directory this is if i quote from microsoft's documentation this is microsoft's cloud-based identity and access management service that is if you want to access any resource in azure then your id if and if if it requires any sort of authentication or authorization then lgd would be involved microsoft proposes aed as identity as a service solution that and when i quote from microsoft documentation that spawn all aspects of identity access management and security i encode now azure id can be used to access both and that both depends on the type of setup external resources like azure portal office 365 etc and internal resources like on-prem applications now azure ad provides secure remote access for ad integrated apps devices and identity governance for areas so think of the aed or azure ad as something like this it is the identity and access management solution in the cloud and your on-prem applications your on-prem ad devices users business partners and stuff in the public azure cloud can have interoperability thanks to hacker ed now as i said still with all of this discussion a lot of times the beginners in azure still get confused with me between azure id and azure so please keep this in mind azure ad is not azure it is just a product offering or service within azure azure is microsoft's cloud platform where azure id is enterprise identity service so please always keep that in mind now one more thing that i would like to clarify or explain right away is so a question that i get all the time is now what are the similarities between azure id and on-prem ad so i would say the only similarity between the two is both are identity and access management solutions and of course both come from microsoft that's it there are some similar terms things look similar thanks to hybrid identity they look like they are they can be very conveniently integrated yes they can be but those these two are different words on premade works on kerberos azure ad works on oauth i mean when you talk about authentication there are thanks to backward compatibility and hybrid identity there are some interesting things where the line looks like it's the line line is blurred right the distinction is not absolutely clear but i would say do not look at azure 80 from the lens of on-prem edit that would immensely help you in grasping azure ad on its own you will understand that okay this is not something that is confined to an environment please always keep this very important thing in mind when we talk about on-prem td if it is a real infrastructure that is physical servers you at least have physical access to stuff and this is super important may sound uh funny but that's that's really those of you who who have been involved in enterprise incidents will know that you would relate with this in case of on-prem ad you at least have either physical access if it is a real infrastructure like brick and mortar data center or you would have a god mode thanks to virtual machines but in case of azure ad there is nothing like that if you lose access to your tenant or an organization loses access to their tenant unfortunately they would be on mercy of microsoft support to get it back and when i say mercy because they deal with such cases every day your infrastructure would be your top priority not top priority of microsoft unfortunately probably i mean nothing against microsoft here but that's how it works right another question that i get all the time about on-premie is about azure ready is can we think of azure ad as directory services in the cloud that is is it a domain controller in the cloud absolutely not azure ad is not directory services in the cloud it is not your domain controller as a service domain services that is what the domain controller as a service part that is if you want your on-prem domain controller you pick it up and you want to put it on the cloud that service is azure 80 domain service is not actually right however it is possible to integrate on-premise with azure id for a hybrid identity and that stuff is that is tough for nightmares i would say hybrid identity if you're if you are using hybrid identity and your azure ad connect server is compromised then you can kiss goodbye to both your on-prem infra and your client for that is that is something else and of course that is something that we are not going to discuss actually today we are going to discuss about a cloud only environment if you are would like to look at an official comparison between azure and on-premier you can check microsoft's documentation right now let's take a look at some of the terminology of azure so there would be a tenant you would always hear the word tannen what is it it is in an instance of azure ad and represents a single organization so for example the tenant that we are going to target is retail core [Music] then there would be an azure led directory each tenant has a dedicated directory this is used to perform identity and access management functions for resources then there are subscriptions subscriptions are used to pay for services there can be multiple subscriptions in a directory subscriptions also work as a logical and billing boundary for different resources there is core domain as well this is the initial domain name for example tenant.commicrosoft.com so for us for our target organization this is retail core dot on microsoft.com you can of course go ahead and define custom domains as well all right now let's have a look at the azure architecture now a question i could see is will we have access to the slides nope unfortunately not so come back to this azure architecture in azure you can when when we talk about access there are four levels within a tenant i mean i would not put a tenant on top of this i mean you can if you want if you want to visualize it like that but i would say within our tenant there are four levels for access to resources there would be management groups if there are there are multiple subscriptions than the subscriptions and this image is taken from microsoft's documentation have not created it then there are resource groups finally resources so what is the management these are used if there are multiple subscriptions you can use a management group to manage all of them please note that all the subscriptions inherit the conditions applied to the management growth as you might have guessed the access control is this way anything that is applied on management groups is edited by subscriptions then it is inherited by resource groups then it is inherited by resources and so on this also means that let's say if there is a user who has a high privileged role let's say an owner rule here would be an owner here here in both the resource notes and all the resources as well so please always be careful when you're assigning permissions especially especially on let's say that the subscription level or even at the resource program you can have a management group in lower hierarchy of another management so you can have let's say another management group above this and then there could be multiple management groups below this and so on there is always a single top level management group called the root management group for each directory in azure and please keep in mind that a global administrator any global administrator can always escalate to root management growth right more on global administrators later now what are subscriptions think of a subscription as a logical unit of azure services that links to an azure account and as your subscription is a billing and or access control boundary in an azure active directory a tenant or a directory may have multiple subscriptions but each subscription can only trust in single directory and as i said earlier and any role applied to the subscription level applies to all the resources within the subscription so how do you have resources within a subscription there are resource groups so what does the resource groups contain resource groups contains resources what are resources for deployable items like a virtual machine an app service a storage account a key vault or any other azure pieces an azure resource must be inside a resource that is a resource group practice that says a container a folder a box right there is a reason why it is designed as a box it acts as a box that holds all of your resources inside it all of the resources that belong to that particular resource group please note that all the resources must be inside a resource group and can belong only to a group if a resource group is deleted all the resources deleted instead inside it are also right let me answer this question on discord very quickly a resource group has its own identity and access management settings for providing goal-based access it inherits the rules from the subscription and of course you can have you can assign roles at the source group level as well now what when we talk about roles that can be assigned what are these rules these roles or azure are back rules provide access management for azure resources using the arm azure resource manager authorization system there are more than 120 built-in roles if you trust permissions.cloud there are more than 300 building rules and of course you can define custom rules as well there are four fundamental azure roles owner as the name suggests has full access to all resources and can add access for other users for security principles contributor has full access to all resources but cannot add access for others leader can view all resources a user access administrator can view all resources and we can manage access for other users but does not have full access to all the resources all right so that's what our roles are now how are roles assigned so the easiest way to understand that is you have azure ad object slash principle that is a security principle from azure id what could be a security principle a user group service principle or managed identity any such object so this is how assignment that what we are discussing is how are the rules assigned so security principle that is an azure id object has a role on a scope so what what is an object user group service principle or manager entity what is a role definition a role definition could be a user who is an owner contributor reader that is basic roles or rules specific to resources that's a security reader a virtual machine contributor on on vms etc or it could be a custom role where does the objects have this role that has these rules on on a scope scope could be a management group subscription resource group or resources so this is how azure ad objects access azure resources and this is very important to understand because i have seen seasoned penetration testers security administrators still getting confused about it always think of this azure ad has no resources it only has principles as far as access is concerned all the resources are in azure and this is actually when we say when i say this that azure ad does not have any resources so the first question question that should come to your mind is the the one that we are answering here is then how does the users access resources this is the answer to that question how do users or service principals or groups access azure resources this way each user group or a service principal or a manager identity if they have any role any role on an azure resource they would have access otherwise they won't that's that is as simple as it could be all right so this is what azure are back assignment is our role assignment is now let's take a look at a simple breakdown on these three things what is a security principle an azure ad user group service principle or managed identity that's what a security principle is what is a role definition in super simple terms or collection of permissions that is what can you do on a resource on end what you cannot do on the resource for example can this user run commands on this virtual machine where is it defined in the role definition so the role definition may define that this user can read the virtual machine that is there is a virtual machine this is the location where the virtual machine is hosted is it a windows server or a windows client or a linux machine etc that is what the user can read but can the user execute commands there so either if the permission is not listed in that case the user would not be able to do that or if there is an explicit deny for it even in that case this user would not be able to access then comes the scope the resource where the role is applied recall our discussion on scope levels at the top we have management group then subscriptions and resource groups and then finally resources right so for example here in our in our lab environment uh so i just want to show you [Music] a resource just give a second so here let's say in in our target environment if we take a look at this storage account called retail code take a look at its iam it is its access control you would see that there are couple of resources uh sorry couple of role assignments for the user retail admin that are inherited from the subscription what does that mean this means that the user retail admin would have keyword administrator and owner privileges on the subscription lab whereas a user not a user a group called bim admins has a role called beam storage on the current resource so this is how permissions flow in in azurely in azure now another interesting thing or another interesting topic when we talk about azure architecture is the arm azure resource manager it is the client neutral deployment and management service for azure that is used for lifecycle management what is lifecycle management creation updation and deletion of resources and also for access control of resources so microsoft treats arm as a security solution arm templates can be used for consistent and depends dependency defined redeployment of resources so eram templates are json files that you can use to access not only access i mean now that you can use to deploy resources consistently so the idea behind this is or any any infrastructure as code service is if you have a consistent template-based deployment the chances of mis-configurations in deployments are reduced so that is what arm does as well right now we talked about we're not talked about we briefly touched manage identity here i mean we mentioned it so what is a managed identity azure provides the ability to assign managed identities to resources like app servers function apps virtual machines and so on i mean there are a lot of services that can be assigned a managed identity now a managed identity uses azurity tokens to access other resources like usually keyword storage accounts etc that support azure id authentication you can think of manage identity as a service principle of a special type that can be used with other azure resources managed identities can be of two types system assigned that are tied to a resource and cannot be shared with other resources or user assigned system assign and user assign a user assign is independent has independent life cycle can be shared across resources please understand this managed identities are super super important if nothing else these free services i mean there are so many interesting services that support marriage identities but if nothing else these three services make managed identities very interesting so what is the idea behind managed identity the idea behind managed identities is to assist developers in dealing with secrets does it help let's say there is an app service that needs to for example store secrets user credentials credit card data probably i mean not everyone stores that but just as an example anything that is considered a secret now in place of or any other secret um let's say certificates for example now in place of allowing or forcing a developer to handle that what a managed identity allows you to is this absorbance if it has a managed identity can access a keyboard now that keyword can store credentials secretly of secrets secret in a safe manner so that takes off the problem of dealing with secrets from an organization right i mean a developer would not require to handle that a keyboard would handle that on their behalf but this also means that if we compromise an app service that is if an attacker gets access to this app service they would be able to request an access token for the keyword and then they can go ahead and access the keyword and extract the secrets that is the idea behind a minute identity right let me pick a question from discord uh that is about azure pentas policy a lot of things are prohibited uh so for example the azure spend test policy prohibits use of port scan tools like i mean any any tool like nasa's or anything nmap nasa's whatever if these are not allowed so the question is if these are not allowed how can one test the services on azure as you would see you can actually what azure prohibits is let's say running a full scan against anything that is cost for microsoft right if you are going for i mean to be honest microsoft enforces this if it impacts their it impacts performance of a service or if it generates costs for them in other cases as you would see as i've been doing it for for past few years and you would see for the current one if you have the permissions to do so or if you are doing it against your own tenant then it is absolutely allowed to test a target environment usually nmap nasa's anything that discovers a service that is an automated tool discovers a service and then tries to pause it that is what a microsoft prohibits but it is it is their platform their choice to enforce it which of course is not a very good thing to do but that is how it is that is how it is with any cloud service to be honest right so what we discussed previously were azure rules now let's talk about azure admins once again i can see sometimes for someone raising hands in the zoom session please write your questions in discord can look at only one place and i prefer discord so please write your questions i've shared the discord link in the chat in the zoom chat so please write your questions there all right and let me answer some of the questions that are that keep coming yes there would be a session recording that we will share with you uh we have already shared zoom link with uh the first 1000 registration so if you are not able to join it right now it's fine all right so let's talk about azure edit rules what we discussed previously are azure roles so in case of azure ready roads where are these applied these rules are applicable on resources and resources if i would say them or objects should be to be correct in terms of terminology these rules apply on users groups domains etc there are many administrator roles in azure ad and of course we can also define custom tools global administrator is the most well known and all powerful administrator role please note this please be absolutely clear about this there is absolutely nothing in azure that protects you from a compromised global administrator nothing stops a compromised global administrator being very sure about it you can limit the damage let's say by enabling mfa etc that is that is that is all fine but if your global administrator is compromised an attacker can access your tenant as a global administrator nothing provides nothing helps i mean global administrator is the god mode then when someone from new team if you would like to correct me i would be happy to be corrected but in my experience global administrator is the government there is nothing that stops you so stop someone off from taking over the entire tenant i mean as as we were discussing in the very beginning in case of on-prem ad you have at least let's say if it is a 100 virtual environment you at least have something above let's say if you compare this to domain administrator in on-prem you at least have access to the virtual machines as a virtual machine administrator that is you would still be able to control the environment if it is a brick and mortar data center then you will at least have console access that is physical access but in case of azure there is some there is nothing that controls a global administrator now question is isn't there something like tiered mode slash red forest for azure ad to stop the god level implications i don't think so i can double check that but i don't think so in in my experience once you have a global administrator you can go ahead and change all the settings so yeah probably there may be an attempt of let's say detecting a global administrator earlier then damage could be done or more damage could be done but i don't think that global administrator can be controlled i may be wrong i mean that's what my experience is right so that's about azure idiots now how does azure ad roles relate to azure rules this let me clear this one now how azure id rules connect to the azure rules that is our mac let's say you have global administrator let's not go with that one let's say you have the ability using a custom role or one of the built-in administrators you have the ability to just as an example reset password of this user let's simply call this reset password role i think this role is at least available with a user administrator or user user administrator so if there is a role that could reset password offline this user and then this user has a role definition that allows them to access let's say this sql server then this is how roles are connected so this user let's say has owner rights so this way if you look at if you look at it this way this means if a user has owner rights on a sql server database then any role that can reset password of the user would also have the same that is how we create attack paths and that is what it is the connectivity of the thus connection between an anchor eddy rune and an azure group however global administrator is something else global administrator has the ability to elevate to user access administrator as a role to the management group that is a global administrator can actually go ahead and access azure resources if they want whenever they want i mean otherwise unless a user that is explicitly assigned a role on azure resources cannot do that a global administrator can do even that then there are additions of activity and this is where i start ranting about i start bitching about microsoft's licensing right so this is what i call these guys are have-nots and these are halves or or better they call the one person movement from 2008 after the global financial meltdown so that's that's what this is these guys are have nots and these are the one person they do not have anything they have e5 or i mean premium p2 or probably even e5 so if if i actually wanted to have it in the right way i should have premium p2 and then e3 and then e5 but you get the idea so unfortunately what happens is with azure you get to have it is easier to move to to move your workload to azure but you know in terms of cost as well but it is pretty costly to secure your workload and for any interesting security you need to go ahead and purchase a license right so that is where i mean at least for so for example when we talk about increased costs for protecting an environment for example if you have to enable app insights that provide interesting logging for your app services you have to pay for at least for storage of them which looks like which looks like yeah i mean if you're using it just go ahead and pay for it but what i would say is this should be part of a minimum security if you are on boarding organizations even for the free plan at least let them not all you can payment i mean that is what it is now when you talk about kill chain right going right into the uh marketing lingo there so this is what it looks like and and this applies to any system be it an on-prem environment or any cloud environment with minor deviations or you can in some cases major dimensions as well but this is what you can do so what you can follow we start with discovery and recall of services and you must have some initial access that is your first foothold or your beach head that that allows you or a footstep and whatever the word you want to use so then you have must then you go for the initial access then enumeration then privilege escalation then comes the lateral movement persistence data mining or in some cases let's say exfiltration and the defense division so this is what we are going to follow as well we will do the record and discovery initial axis enumeration previous and little movement that is all that we are going to cover some a bit of data mining i mean we are going to look at early on this only a few lines of secret so not really should be called data mining but yeah if you want then but no persistence or defensive agent in this so what are the tools that we are going to use in the course ac powershell from microsoft azure indie powershell and its preview once again from microsoft azure portal and open source powershell other than that if you look at the lan manual at the very end i recommend some uh other tools for errors especially for enumeration tools like so the only one that we are going to use in the lab manual other than the only open source powershell tool that we are going to use in the lab is micro buster but for some enumeration you can use let's say storm spotter are the best so there are three green tools that if i if i remember correctly uh road recon storm spotter and azure home in my opinion road recon is the best um treasure hound is i mean azeroth part of bloodhound is is pretty cool storm spotter is more of a poc but yeah still interesting to take a look at but these three tools we are not going to take a look at right now all right so what is the lab we target retail corporation of fictitious retail company so del corp is testing some products for privileged identity management in their production tenant of course of course why not and we assume role of a threat actor that is targeting retail core our goal is to compromise as many resources as possible in retail that's right so i mean there was a joke in there in the second point but i mean because it was not a joke it was a joke but not job right testing some products in their production tenant so i could imagine manually doing that yeah you can redo that i mean what's the what's the deal here right don't do that please so yeah let's let's see so what do we have here uh the first step discovery and recon let's say we only know the domain name or any email address of the target organization we know that retail corp is the name it is possible to extract some really interesting information like if there is a tenant in use tenant id name of the tenant if they are using any federation trust or not other domains if there are any adjusters used by the target organization we can also get email ids and whatnot and that is only for the enumeration part so when we talk about information gathering or recon there are at least at the very at a very high level you can split it into two parts one is enumeration that are two or a tool can go and fetch for you another is deriving stuff from information so that can be done using a tool or manual so when let's say if you're targeting an organization and if you if that is in your scope then you can let's say go to the linkedin profiles of of their employees extract information from there look at their employees on on stack exchange on twitter facebook that is go through all the social go through the product forums that they use so you will get a lot of interesting information right so let's start with the record partner so how do we know if an organization is using azure tenant just by just if we know the the name of uh the organization or the or just the domain just the domain so for that we can use this url something like this i'll show you that so if you hit this url and if you replace domain with a valid domain that an organization is using you will get to know if the tenant if the domain is used on a tenant what is the name of the tenant if federation is in use or not if you want to get the tenant id just replace this including the square brackets replace the square brackets as well with the domain name and you will get the parent id you can send post requests let's say hundreds of email id is for a target organization then you can validate those email ids by sending post requests to this url is there a connection problem is it better now okay okay so i was saying let's say if you have extracted hundreds of emails for target organizations for a target organization then you can validate if those emails are correct or not by sending post requests to this one so there are tools that do that can do that for you so we can extract information let's say manually or we can use a b internal so ad internals is a fantastic tool not only for this i mean this is not even scratching the surface of ad internals it is a fabulous tool specifically when it comes to abusing hybrid identity or anything else in general very useful for anything anything related to azure so it is a versatile tool so once you've imported that note that we do not ask you to set this up in the lab manual because it is not required but i am just covering it in the slides because the person who wrote this necessary all around good guy or very good azure security researcher and i've learned i've learned a lot from it so yeah that's why it's it's not already mentioned so once you have the aed internals tool loaded you can enumerate stuff like this we if you use get in login information that gives us the current name authentication news brand name which is usually same as the directory name domain name gets specifically impressed only the parent id you can get other domains as well or you can get all the information about it so if i have to show you this one so let's first have a look at the url that i had here let me copy this one right from the slides and i simply replace because remember that you have to remove the square brackets as good let me copy this from the lab manual so that it is faster so if i replace this one with this that is no need to have a valid username we just need a domain name so if i replace this with retailcorp.orgmicrosoft.com and i run this we get to know that because this is managed this means that the target organization is by using ij if they are not using federation brand name is retail corporation what does it look like if we use a wrong one here let's make our typo here deliberately it looks like this if the target organization is not using attendant which is there if they are not using actual id similarly to get the tenant id we just once again need the domain name so if i use retailcore.microsoft.com here and make a request make a debt request we get this right and this i believe is the talent id yes it is all right we can get this using the aed in terms to that oops so come on let me stop my video i think my connection is acting up a bit so if we import adidas this is a bit dated version so you can get the latest one uh from the github repository and check that in the slides once we have this so let's run the first one we'll get the same results as we got earlier but just to be sure that this works even from command line so we got the the federation brand name and the account app is managed what if you want to get the domains that the tenant is using recall our discussion on core domain the core domain is the initial one that is assigned to a tenant you can have custom one as well so if we for example check for retail core it has just one domain but if we check let's say for microsoft.microsoft.com please be careful this is what we are doing right now is considered innocent this is not any malicious activity but still be careful if you uh request access to a request information for any other tenant that is something that you do not own or you are not permitted to to query so if you run this so this is taking time and the reason is the list would be pretty long if you can get that okay just wanted to check with that my connection is fine so okay this this shows us a long list right let's wait for this one to now let's not wait for this to complete we'll come back to this in a moment or we can use invoke a b in record as outsider to get all the information as much information as we can from a tenant but this is fine once we know that an organization uses azure the next step would be what are the services that are now in azure there are many services that are available on specific globally unique domains and subnets so we can enumerate by brute forcing the subdomains we can enumerate if the target organization is using any of such services for that we can use microbus what is microburst or powershell tool for security assessment of azure so for all the functionality it uses ac powershell isd azure rm ms wordpress and some additional best api calls this is the way using input module we can import all of the tool that is all of the modules within the tool or we can load a particular script so what we would we are interested in right now is to enumerate all sub domains for an organization so in this command if we specify retail corp as the base then microbus will try something like let's say things like storage storage accounts on retail court if there are any app services on retail call and so on that's what it is going to try and so that is also something that we are going to look at if i have an output here and we can go ahead so here you can see that the previous command where we enumerated what are the domains used by microsoft dot on microsoft.com you can see a lot of them right so this one catches my eye is there anyone in right now in the zoom class that immediately recognizes this what's that would anyone like to comment on this one this was this is the team this is the original company who wrote the advanced threat analytics which is now known as defender for identity right this was the team i mean just just caught my eye there are many interesting things in here so take a look but be careful and don't be stupid please do not test stuff that you are not supposed to now this we will run in our learning objective so this bricks brings us to our learning objective of discovery and recon gather the following information about the retail corp organization domain of the retail corp tenant that is flag one that would be flag one for you and second is id of the tenant okay this is something that i could run not not included in the learning objective first acting on this so in place of importing the whole script as the whole module i will simply load so so only this script enumerate azure subdomain so let me just copy that not really interested in typing commands because i can make typos in that case don't want to troubleshoot that okay and that's that's why i don't type commands as i was saying okay let me import the module then so let's import the whole module it's in microburst slash master on this vm that i'm using i believe oh come on let me let me see so this is microburst master oh okay so it is it is microburst okay my [Music] so now if i run the command to enumerate the services in use that is something that we can leave running because that takes time so for this one we will have base retail corp and that's it now you leave it running so what it would look for for example something that we are expecting here is that the target organization uses storage accounts so what this tool is looking for right now is the base retail cop means it looks for retail cop.blob.cod.windows.net that is the storage account for blobs retailcore.file.org.windows.net that is storage account for files and so on that is what it is doing all right so that is how we can actually go ahead and enumerate services now learning objective one is together following information about the retail corp organization domain of the tailcop tenant and id of the tenant right we have seen both of these using these urls and also using the aad internals so i'm not going to show you this this is also part of the flag so do them on your own so that would this would also be a good practice for you and you should on the completion certificate right now comes the second step the initial access so as i was saying here what we would come to know is once this finish is running is the target organization retail corp is using storage accounts so what is the storage account by the storage account before that let's understand what is a blobster so blob storage is used to store unstructured data like files videos audio etc so unlike structured data that is stored in your databases a blob storage think of it as where you can simply go and throw stuff and it will be stored there are three types of resources in blob storage storage account storage accounts have unique name spaces across azure and that is the exact thing that we are abusing right now right unique namespaces across across azure and can be accessed over both http or https then storage accounts as you can see from this diagram from taken from microsoft's documentation you have a storage account then there are containers inside a storage account think of them as folders within a storage account and then the blob that is those the the storage actually that stores data there are three types of blocks block append and page maps so that's what a blob storage is used for storing stuff right that's the easiest definition now a storage account has globally unique end parts when you say global unique that means globally unique if someone is using a storage account let's say for retailcore.blob.co.windows dot is in use you cannot create a storage account with the retail court name try it then you will get the name is already in use this is as we are doing in useful in enumeration by guessing the storage account names so do we have an output here not yet so what the microburst tool is trying is because we have provided base of retail court there what microburst is trying on that machine on the tenant is they replace this storage account with retail corporate because that is what we specified as the base and now it is trying retail comp if there is something called retail block dot co retail dot dfs dot file dot q and dot table and so on that is what it is looking for and because once again this is globally unique that means that there are high chances if you know the the target organization then you will spot something interesting usually now how is the access controlled to a storage account what does the authorization look like so there are multiple ways to control access you can use azure ad credentials of course recommended way that is you can authorize groups users groups and any other identity based on their azurity credentials and azure roles are supported you can have roles like storage blob administrator or things like that that would that allows you to have pretty fine green control over a storage account that is one method and the recommended one then there is a shared key or access key method so in this case so what happens when we talk about storage accounts so in this storage account if you go to this under the security plus networking blade if you go to access keys there are two access keys for each storage account these keys provide full access to the storage account complete access and these keys are not automatically rotated unless the storage account is managed using a keyboard so this is a pretty high privilege credential i would say to have the third method is to create assess url shared access signature learn this is time limited and has specific permission so this is also a good way of accessing a storage account right so this is how authorization is done what but is there any problem with this not specifically a problem with this but of course like any other cloud storage like for example s3 buckets in aws there is always a chance of misconfiguration that is if someone allows or by mistake allows or permits anonymous access or public access then it is a problem so by default telegraph access is not allowed for storage accounts but that is a very good thing but if allow blob public access is enabled on a storage account then it is possible to configure anonymous or public read access using in two levels one is blob anonymous access that is anonymous read access only for blobs inside containers you cannot list contents a wider permission is to allow listing of even of containers all right now a question i get or i expect in such in when we discuss this is how common is this how common is to have anonymous access to storage accounts in azure i would say pretty common more common than you would think so the this is how usually how any anonymous anonymously accessible storage account or any storage starts so there would be let's say some co-workers or colleagues who would like to quickly share stuff you know interesting videos audios memes or anything like that that is let's say anything that the organization policy prohibits for example either that or you do not want or they want to just get stuff done quickly or if it is it is supposed to be temporary storage that is how anonymous storage starts okay we will remove this right cyber hunter please uh remember to remove this once we are done with this of course and then it's gone right or let's say dexter you have the ownership you reco you remember that we have to delete this this is just for sharing some beams yeah that's how and then i'm not choking right that's how anonymous storage starts and then slowly if it is actually not removed people tend to forget that they start dealing sensitive information there right that's that's how your temporarily storage cloud storage starts getting and then there is logging i mean a lot of it's not so common i would say it's still common but your applications may want to log stuff and um they could not authorize or authenticate to the storage in addition to that a lot in a lot of cases unfortunately the the person who is creating or who owns this storage account think that okay if i use this i keep the name of the storage account as very unique then no one would know that and that's safe enough all right so for example someone would think that okay things like christmas 2021 is a safe enough storage account right we are all of us that uh who are we are disciplined i mean i mean though we us in this webinar we are security professionals or one of the security professionals so we understand this but probably your hr or your finance may not get that so in in those cases as well you would have anonymous storage outcomes so you might have understood why i'm viewing this story because we that is what our initial access is going to be all right but before that one more tool from microsoft that could be useful for accessing storage accounts is storage explorer so it is a standalone desktop app to work with storage accounts that's pretty useful in many cases now how do we abuse this how do we abuse anonymous access for anonymous access to a storage account for our initial access attack so of course when we once we know that the storage accounts have globally unique endpoints and can allow publicly access that's an interesting both of these are interesting together once again using microburst but this time this function we can check if there are insecure storage blobs in the retail tenant so i hope by now we would have services here so as you could see here we have storage account blobs files queues and tables in retail coin that's one now what we are going to do is we are going to run invoke enumerate azure blocks previously we run invoke and unit azure subdomains now it is going to be azure blobs once again on the base retail with the let's run this so it found a storage account right there and now what it would like to try or what it is trying is if there are anonymously readable containers or blobs inside so found a container of retail core retail corp slash configuration and a file inside it called pas deployment under script script.ps1 but please note that if any one of you try that right now it would not be possible for you to access it right now because i've restricted network configuration i didn't want to hit any microsoft's throttling limit right now so this is what we have here let's access this script let's use an incognito window so that we do not use any of the privileges let's check out the script now so what do we have here this many of you might have actually used so we are deploying a virtual machine this is probably i think we picked this these commands up from some valid script either on microsoft's website or on some other vendor's website this is what they recommend you can either store credentials using the get credential or you can use a ps credential object right how common is this for you to find out stuff like this very common if you can hit uh or the correct script right so this is what of course and that's that's what we are going to do now we are going to try and see if we can use these credentials in fact let me copy the first three commands but we'll run this later because i don't think that is required in the current initial access method so our learning objective for initial access is name of so what you want to use as the flags is name of the publicly readable container in the retail corp tenant and name of the powershell script available in the public readable container right so that is something that we enumerated using the previous command i cleared the screen otherwise i would have shown a question is do we need to ask a customer to whitelist our ip in consideration of throttling i would say even if not in consideration of throttling it is always recommended to share your ip with the client so that they can actually craft some detections around it and it totally depends on your rules of engagement but it is usually recommended all right and now we will remove the ip restriction on the storage account so i mean i do not recommend you to try the hands-on with me but if you want you can now start doing that however once again i do not recommend doing that so now we once we have access to a user's credentials that we extracted from the deployment partial script let's go for the enumeration partner right so azure total is your gateway usually to to azure make sure that if you are if you are creating a tenant you have to if you when you create a tenant of your own to invite a guest later on make sure that you spend enough time in finding out what you can and but you cannot access using azure portal i mean not all the information is visible in azure button but pretty interesting to use so think of it as a gui alternative tools like powershell modules and easy cli now because now we have access as pin user to the target environment to the retail core tenant so we extracted the credentials from the partial script and now if we use these credentials to connect to the tenant you can see that we can connect and we connect it using the az powershell module now what we should be able to do assuming we have not enumerated that but assume that pill user is a normal user so what are the permissions a normal user has in azure ad a normal user can read all users groups applications devices roles subscriptions not the details of the subscriptions but just the presence of subscription and all of the public properties a normal user can invite guests can create security groups can add guests to the groups they own can read non-hidden group memberships can create new applications add up to 50 devices to azure and whatnot a lot of privileges if you ask me why why these privileges are a lot of privileges for example this when you say so the first thing that comes to mind when you read these two okay what if a user can create a security group and add guest stone groups what could happen if that's it if that could be done i mean what's the big deal that's that's a question that i get a lot of time once again if the organization is not assigning the roles using let's say privileged identity management that is using pim when someone creates a group to test or do something then that group is involved in some more testing there comes a point that then that testing turns into production and then no one is going to remove remove that or make any changes to it as soon as that is moved to production then there is no one that is going to make changes to it now what happens is if this security group now becomes crucial or high privilege in production then the user who created this security group is now a high privilege user because if someone compromises that user they own the group now right so always visualize these attack paths whenever whenever you think that okay something is the there are some connected entities always think of it in a graph right similarly why is creating a new application of a privileged stuff that is why is it important to not allow your users to do this as we will not see here then we are not discussing that here but when you create applications that is service principles service principles are always well let me say almost always i mean i've never seen it a service principle in a conditional access or an mfa but service principles are exempted from security controls like conditional access policies or mf so because of that if a user creates a service principle and then that service principle is assigned a privileged fold if the user is compromised someone can simply let's say add credentials to the service principle authenticate to the turn into service principle thereby bypassing security controls and persisting in the target environment very nicely so this this is the reason why if you absolutely know that you want your users to be do that to do that this allows users to create new applications right and other things but by default these are the permissions that a user has now let's talk about enumeration when we could see that we have access to the target environment as bim user let's talk a bit about enumeration so we are going to take a look look at just two enumeration tools both of them from microsoft and these are management builds but we are using to use them for enumeration azure id module as the name suggests can be used to interact with azure ad and then the ac powershell that can be used to interact both with azure id and azure businesses so what is azure id it is a partial module from microsoft for managing azure id not a very uh not a perfect tool i would say because it does not show all the properties of azure id objects and the documentation is not good still useful to some extent and we do not have a lot of choice actually other than using this once again can be used only to interact with azure id no access to azure based resources just give me a second all right so how do you get it you can either run install module azure id from an internet connected machine or you can download it from powershell gallery rename the nut package to zip extract it and then input once you have credentials of a user or an access token we can use connect azure ad to connect to a tenant using the azure id module we can either use get credential to get a credential prompt or we can use the ps credential object like this so we already have a ps credential object in dollar credits but in place of using connect ac account right now we want to use the azure id account right please note that if you have set up the lab as per the lab prerequisites you would not need to import the azure id module i have to because i forgot to set it up i've set it up in a different way let me say that so in the caazad directory we have the agility module now come on so my cursor is lagging a bit that's the reason why i i mean i usually do not i'm not that bad at keyboard my cursor is lacking lagging a bit so that's the reason ah please let me try this again one more time this time i would be more patient acd tools azure id lgbt.psd1 i believe ah great import module and the path to the azure id module now let's connect to the tenant using connect azure ad command all right so now as the user pin user whose credentials we got from the publicly readable storage account as that user we have connected to the tenant using the actuality now what can we do post that we can get the current session state any details of the talent usually makes sense to just check it once specifically if you are running a black box so that you are absolutely sure that you are targeting the correct environment so yeah that's that's the one that we want to target now what what would you like to extract from a tenant if you go to the azure active directory option here what do we have we have users groups roles administrative units enterprise applications devices and whatnot so all of these are there let's check them using the command line as well for example first azurely users so these are the first 100 users there make sure that you use dash all dollar true that is you want to list all if you want all then you have to specify that so these all are the users thanks to powershell's powerful pipeline you can run stuff like measure there are total 308 users right now or if you want to see just one of the property let's say select uh okay let me take that from the site for example if you want to go for the display name now before that if you want to enumerate a specific user you can pass an object id or a upn user principal name so here let's say you want to get details about the pim user we can specify that 582 format list star to get any additional information that was not shown by default if you would like to check all the users that contain the word admin in their display name so what are we doing here from all the users this is an alias for wear object in powershell from all the users list the ones where the display name matches the string admin pretty straight forward so if i run this there's just one user called video that has admin in their display name if you want to list let's say all the users who are synced from on-prem so in a production environment if you think that okay hybrid identity is in use or if you want to check if hybrid id is used one very easy way is to look for principles synced from on-prem so if the on-premises security identifier is not null then the the user because we are listing it for users the user is synced from on-prem if that is null then user is from azure right i once again saw someone raising a hand on the zoom so let me share the discord link once again there so please ask the questions on this call all right now we do this is we how we can list users that are synced or not that is cloud only or hybrid then we may also like to list objects created by any user objects created and objects owned so why is this useful why would you like to list objects created or owned by a user very useful so let's look at this scenario there is a user now this user owns or service principle that is an enterprise application now the let's say the service principle has for example the privileged access administrator rule privileged access administrator rule so if you look at the rules and administrators here oh okay so we would have many interesting notes i didn't want to use an example of global administrator directly but sorry privileged authentication administrator that's that's a sin that i committed i call them privileged access administrator so privileged role administrator this user sorry published authentication administrator this user this role can actually reset password of even global administrators or any other high privilege rule if the service principle has that rule then this means that this is a risk that is why we are looking at ownership that means if someone now phishes this user then this role is compromised right a question is other than let's say finding it out in a publicly available renewable storage account what are the other ways to get credentials of azure ed users usually it would be phishing attacks so there could be multiple types of it oauth phishing that is you trick a user in consenting to permissions to a malicious application that you control that is the illicit consent current attack that could be one direct phishing attacks using a reverse proxy like evil gen x for example that is one of the cases password spraying i would say yes unfortunately that is also which is useful so this is for getting users credentials for initial access other than these methods a lot of times a lot of times it is through your applications that have let's say a managed identity or of their they have access to some secrets like connection strings and so on and a lot of times cross-tenant attacks are delegated administration to vendors that is also so these are all the ways how you can get initial access another question is how noisy is the user enumeration in azure would all attempts to gather info be logged somewhere a very good question so if let me be very clear about it not all enumeration queries would be locked but when you authenticate when we use this command connect azure ad to connect to the target tenant that would result in an authentication log or signing log right now if this organization has and once again azure premium p2 money then there would be a user sign-in or a user risk or a sign-in base if you log in from a location that is not common for the user then there would be a user signing risk or user risk or assigning risk in the azure ad identity protection without that i mean you can have alerts of your own for example here you can see that access for the user from multiple locations so there would be a sign in log and that is why recall initially i said when someone asked about mfa bypass i recommended using locations that are closer to closer to the target organization geographically or use vpn etc so that also makes sense if you get clear text credentials of a user and even if mfa is not enabled it would make sense to use to gather some more information before you use the predictions do not rush through it in the lab environment we do that because if i this is a very small lab environment to be honest right i have to watch costs as well because this is going to be always on and we already as i said we already have close to 5000 users i mean not all of them are accessing this right people like to start to register for stuff and then probably not use it but so i expect this to be used a lot so i set up a small lab environment even if in this super small lab environment if i execute this as you would do in a real assessment that would take a lot of time if you actually want to be super silent do not want to be spotted by identity protection do not want to be spotted by any other detection mechanism you have to be super patient and move very slowly like some some real protectors do spend weeks if not months in looking at the target environment right but that is why we are actually enumerating this now we can also enumerate groups using get azure ad group if you run the very first one we get a list of all the groups in the target tenant all right we can request more details of a particular group by passing the object id we can search for groups similar to pretty much similar to user we can search for a group that has the word admin in their name and then something that is pretty relevant to the setup in our lab groups that allow dynamic membership note the command line name it's not get azure ad group anymore it is get azure adms group so what we are doing we are filtering this on the basis of group type if the group type is dynamic membership then it is a dynamic pro using the azure ad preview module we can also take a look at the rule membership this is something that we are going to use in a few minutes right so this this is the way we are just looking at some of the ways where we can keep enumerating stuff however and let me about this about um you know once again microsoft if you run this with the azure ready modules that the one we are running that is fine but if you run this with the actuality module it won't show you the membership rule because the the azure ad module that uses an older version of the api azure id pro preview uses a newer version of the api all right you can also get groups that are synced from on-prem and that are cloud only now how do we get membership of a group by passing the object id now the other way round is also possible so here we are getting the members of a group that is who all are the members of this particular group now the other way round is also possible for example if you would like to check if there are any groups and rules these two are different right rules are what we see here rules administrators groups are these right so these are the groups in the target tenant and these are the rules a user of course could be assigned could be a member of a group and could be assigned a role as well so if i run this for example what do we have here is this the user retail admin is not a member of any group but has been assigned a role called the blue administrator good to know then comes roll templates and rolls and once again thanks to microsoft if you look at the documentation of the command let get azure ad directory role it doesn't mention anywhere that it lists all the enabled roles how is a role enabled a user must be some user must be assigned at least once to the root only then the role is enabled and because of that if you run this command let a command get azure ad directory role in the target tenant in retail core you would see just two roles what's that just global administrator and directory readers but if you look at the roles here from the azure portal you would see that there are so many rules so what just happened here looks like that a multi-billion dollar or is it a trillion dollar company forgot to document that this command lists only at least the enabled rules if you want to check all the available rules then you must run the get azure ed directory role template sucks isn't it but that is how these modules are created i mean nothing against the people who worked on it i always say this because i i tend to uh you know carried away with the the stuff that comes in azure and the poor documentation of a lot of things but i have i always say this i have friends at microsoft the engineers there are superb but if that company has any big type i mean there's an organization not really up to the market all right and especially from the time that i've started noticing how they have left on-prem active directory to the mercy of third-party vendors and absolutely no innovation in security of on-prem ladies since past five or six years i mean that's that enrages me but that is not something we are interested in right now right my rage is of no importance now we know that there what are old templates it is all the rules what are the active rules now if you want to enumerate users to whom rules are sent for example what if you would like to check who all are the global administrators that is something that is always interesting so if i run this what we are doing we are listening listing all the roles uh and then filtering out the global administrator role that is global administrator role and then we want to check who are the rule members so if i run this there are couple of users who are members or who are assigned this all right then comes the apps part and this is where there is a lot of confusion when you talk about powershell terminology there are application objects so these application objects are called apps for example get azure id application in powershell but in case of portal these are called app registrations all right so an application object or an app registration is the global representation of an app that is it is available only in the home tenant so you can enumerate what all are the applications there so you can find some interesting ones if you use for example get azure ad application password credential it shows the applications with an application password but the password is not shown thankfully now the more interesting counterpart of an application is service principle so it is called service principle in powershell terminology and in azure portal these are visible as enterprise applications now you can think of enterprise applications as the service account part so the relationship between an app registration that is an application and a server principle that is an enterprise application is a service principle is the service account part of app registration for example if it is a multi-tenant application there would be just one app registration in the home tenant and then there would be an enterprise application in each of the tenants now it is this enterprise application that can be assigned azure rules for example an enterprise application may have owner rights on a virtual machine it may have contributed rights on the storage account and so on this is usually the more interesting part how can we enumerate service principles we can get all of them using get azure id service principle if you want all of them then set all to true so these all are the service principles in our tenant almost all of them are already there i mean bakery in your freshly created tenant if you want to get details about a specific principle we can pass an object id if you want to get a service principle based on display name something like this for example you can do that as well so what are we doing here we list all the service principles then we filter out the ones whose display name matches pim so there are a few such services please note that all the three commands listed here returns nothing in the uh in the current lab but the commands are pretty useful in general so get the owner of a service service principal recall the beautiful diagram that i i drove for you earlier in that case we discussed that if a user has let's say owner permissions on a service principle and that service principle has high privileged roles then that is something that would be interesting for us so at that time we saw if the current user or a user that we specify if they own an object here we are doing it the other way round for a specific service principle we are checking if there is an owner so if we let's say find out a service principle that has the global administrator role assigned we would definitely be interested in in looking at who owns that service principle similarly if you want the second one if you want to list objects owned by a service principle that is the same case why would this be useful if there is a service principle and it owns let's say a virtual machine then this is this interesting to you of course it is because this virtual machine can open up new avenues what if there is some user data that you can extract from here what if there is a managed identity from here that you can abuse what if there is a path to the on to an on-prem environment from here and so on so that is why this is useful same goes for objects created by some experience but we want to check what are the paths from our current access and then finally we can get get group enroll memberships of a service principle i mean this uh command should i should have discussed earlier but that's fine so that is if you want to check if a service principal is member of a group or a role membership let's say global admin or anything else all right so the first one does it for a specific service second one does it for all the service principles the learning objective enumeration enumerate the following for the retail core tenant using azure any powershell module we have seen users get azure id user we have seen groups cad ideality pro director's roles uh global administrator we used oops we used this command for that right how to check who has the global administrator rule we can use we used this command and found out only one user has that one couple of users have that one next one is name of the dynamic group in retail corp this is flag 5. so if i have to run this one using the agility module get azure adms group and using the group types i am filtering for dynamic group membership there is just one group called payback means that has done that that is a dynamic group what is the dynamic group we'll discuss this pretty soon the attribute that has membership rule for a dynamic group right this to enumerate this one as we discussed earlier we have to actually use the azure ad preview now unfortunately the azure id preview also has a function with the same name so we will remove the azure id module from the current session this does not uninstalls the azure id module but simply removes it from the current one and import the azure id preview module and now run the same command as above but this time we want to check out the membership rule that's the membership rule and this also contains answer to the flag 6 attribute that has membership rule for a dynamic group that contains it and finally enterprise applications that is also that we enumerated right here get azure id services we can simply enumerate is similarly enumerate a lot of stuff using ac powershell as well ac powershell can be used to interact with both azure id and azure is if i put microsoft documentation the azure easy powershell module is a rollup module installing it downloads the generally available ac powerful module and makes your command let's publicly for use and that is why this takes time to install it installs more modules as well once you are connected now once you have the credentials similar to azure id module we can use the ps credential object once you are connected we'll come back to this in a moment we can get contacts so what is a context that is the account that is used to connect to the tenant the tenant description subscription uh etc please know that this is pretty interesting because if you let's say in a real assessment let's say you phish a user and you would like to check that okay what are what all tenants that users this this user has access to and if that user has saved contacts using save as contacts so if that is the user has done you can use get as a context list available to list all of those contexts and then you can use one from them so that would be easy literal movement also once you're connected you can list subscriptions you can and these two are the ones that you would find yourself using a lot of times all resources visible to the current user not necessarily you have high privileges on those resources but at least reader privileges and all azure role assignments on that user once again if you have the privileged institution these two would be pretty handy all the time okay now let's use that actually what we are going to do now is we are going to connect to the tenant we already have if i list the dollar credits variable it contains the credentials of pin user that we created earlier this is the ps credential object so let's see connect to the internet using connect easy account that is ac powershell and with these credentials all right let's run get easy context so that's what our current context is let's see if we have access to any resources excuse me now this resulted in an error this client this dot client.subscription id cannot be null what does this mean this means that the current user has absolutely no role has access to no resource no azure resource in the target environment what a bummer all that built up and what do we have here is this error right why even so so if you see this do you think that why even am i wasting my saturday evening in this class right if you think that we have some interesting setup here azure resources is not the only thing a user can have access to all right recall the default permissions of a user a user can access guest as well and then once you recall that then recall this enumeration that we did using the azure adp this there is a dynamic group called pim admins in the retail core tenant what is this membership rule let me leave this open here because i believe now we are going to discuss under the privileged escalation method dynamic course now what are dynamic groups as the name suggests membership of these groups are decided based on a user or a device's properties so that they can automatically join they can be automatically added to a dynamic group why would an organization would like to use this for example an organization would like to add users to a particular group based on their upn or department lesson so they would like to do this that okay everyone who has id as the department goes to the i.t operations everyone who has let's say finance to the departments is let's say as added to the to the finance group or something like that right and so on i mean everyone who is member of who belongs to a particular department an organization may like that to throw them dynamically to groups to reduce the id overhead and reducing the chances of misconfigurations now whenever a group membership is rule is applied all the users and device properties are evaluated for a match and if an attribute changes for any user all dynamic group group rules are checked so to see if there is a match please note that however no azure ad roles can be assigned to a dynamic group the reason is pretty simple and you know abuse may lead to catastrophic results but azure orbit rules can be assigned abuse for that can also result in catastrophic results but if both type of rules cannot be assigned to dynamic groups then what would be used so azure rules can be assigned that is a dynamic group may have interesting rules on resources but are not on other groups or users or applications like anything worth looking at in azure world is needs an additional license at least a premium p1 so how do you abuse dynamic groups now by default the biggest abuse case of this is using guest accounts now by default as we saw any user can invite guests in azure reading if a dynamic group rule allows adding users based on attributes that a gas user can modify it will result in abuse there is no doubt about that now there are two ways where it could be done one is before joining the tenant as a guest and this is the one that we are going to use here let's say if we somehow know the rule like this that is if we have already compromised a rule or if we have some insider information or we have a rogue employer whatsoever that is we have some insider information or we have a foothold and we know the room if we can enumerate a property let's say the primary email we can invite a guest with the email id that matches the rule that is before joining the tenant after joining the tenant as a guest a guest user can manage only their own profile that is they can a guest can modify their manager and an alternate and their alternate email that's it so we can abuse a room that matches on manager or alternative email all right now what does our rule here contain let's read the learning objective first so the learning objective for privilege escalation is invite a guest user to the retail core tenant using credentials of pim user where did we get the credentials of user from from the publicly readable storage account the partial script had that craft the invite in such a way to abuse the member fifth rule for the dynamic group pim admins in retail court and then use the membership of pim admins to access a new container in the retail court storage account and extract secrets from it this is flex 7 and 8. so before inviting a guest user and we need to craft them right to obviously membership rule what is the membership rule this is the membership rule you can get it from the command line and also from the membership type dynamic also from the going so if you go to dynamic membership rules here that is the rule the same one that we can see here so what is the rule contains there is an end condition and or conditions first like let's take a look at the condition after end a user must be guest to be a member of this group that's condition one now the dot mail that is their primary mail must contain either pin payment admin or operations that must be included in their primary email okay understood so what are we going to do now we are going to invite our guest so if you have been following the lab prerequisites if you have not then note this you have to now create a tenant you cannot invite let's say a a google account to be a member of a tenant you must you need an azure ad account that is a uh you must have need you need a tenant i mean you can go ahead and get a free one check out the library request document so the user that i am going to invite is you can once again do it either using gui or using the command line i prefer command line in this case so using the new azure adms invitation we invite our user let's call them invited attacker one this is the user that i am going to invite the invite redirect url that is once the user accepts the invite they would be directed to this portal.azure.com and send invitation let's do this so we got this one check out this invite redeem url so let's copy that url and let me actually use that on my host machine because this my access to the remote machine is a bit slower so let's access the invite okay this doesn't seem to be pretty fast as well but should be better at least okay as the user i think i was already signed in nonetheless as this user the user that we invited please always keep this in mind as the user that we invited if we now log in after accessing the the invite redeem url oh okay probably my user was already added there okay so let's see no not ready already so this is the consent experience right so retail corporation not shared by microsoft they want to sign you in with your name email address and photo this is what the basic signing looks like that is to to be able to sign in you have to allow at least this these permissions to retail corporation so of course because we have sent it we'll accept it i mean even if if not even if it was not us the users are now conditioned to click click accept accept accept 10 or 10 20 times every day no not every day every time they visit the site so we we would have accept in almost all the cases whatever here because we sent the invite we promptly accepted it and you would see that this user is now logged in to the retail corporate corporation right so in some cases because i already was testing it in some cases you may have to go to switch directory here as i've described in the lab manual and then switch to retail corporation in any case please note that the guest user may not be able to access any information but at least they would be able to go to the blade but if we look at the dynamic group right now using the other tab where i'm logged in as a high privilege user do we have a member i mean it usually takes a couple of minutes before the membership is processed oh sweet crit that many of you are following right so this is the one that i invited so as you could see now we have users added to the invited sorry to the payment screen now once we have that let's see what are the resources accessible to this user as you would see the license for this user is agility free whereas for other users i mean we are licensed right so that's the reason i was showing you that not running it unlicensed or something like that so here if you would like to let's say list the users you don't have access to this data and same goes on for almost everything but if we go on all resources here that is not azure id but azure you would see that a storage account retail core is accessible which doesn't excite us right now why because retail corp is the storage account whose configuration container contains the script that we extracted earlier so let's go to containers so what do we have here configuration is the one who that we read here right public access level container that that was the one but there are couple of new containers as well logs and payments let's go to payments has a json file that is that is readable only to the users who are explicitly allowed to read it okay this user does not have permission to look at the permissions let me see admins so as a global administrator just to show you uh nothing specific here so if i look at the i am of the storage account itself okay here you can see that the pim admins group has a bim storage rule a custom role on this resource now as the guest user let's access this pin.json let's download it and open it up so what does this look like this looks like uh either a manifest of an application or a json arm template whatever it is looks like a manifest to me whatever it is we have the id the app id roles members who are allowed to access it there are no key credentials there are some oauth permissions but there are password predictions key credentials are certain credentials and we have password creations that's the value and you can start a victory dance once you have that why as we discussed earlier if you have somehow creations as a service principle then almost all of the security controls would be ignored for that so now what you are going to do the process is going to be exactly same right contesting or redeeming is not what you see in what in movies it is a set process and a lot of time pretty repetitive of course there are uh moments when we really get a kit out of it but a lot of time it is pretty repetitive so what are we going to do we are going to you create a ps credential object using the password that we got and using the app id that we read from the beginning of the json file so using these let's create a ps credential object and then use the az powershell module to connect to the tenant as a service principle notice the difference this time when i'm running the connecteasy account now i am using a service principal option here right so let's run this okay now let's run get ac resource to list all the resource accessible to the current user suite now we can see that there is a new resource in the resource group name called retail there is a key want there is a keyboard called break glass keyboard break class world now let's extract not extract enumerate the secrets are there any secrets inside it yes there is a secret inside it called privileged access how do you read privileged access using the same command but this this time in addition to word name we specify the name of the secret okay sweet but how do we read the value of the secret for that just let's first discuss the lateral movement part so what we got was credentials of an enterprise application in the pim.json so what is this enterprise application now once again we discussed this earlier as well as well let's discuss this once again any application in azure 80 not in azure i'm not talking about app services i'm talking about azure id applications any application in azure id has two representations application in powershell terminology and app registration in the portal terminology is present only in the tenant where app is registered whereas service principle in powershell terminology that is enterprise application in azure portal is present in every directory where application is used if it is a multitenant application azure our back roles use service principle an application has one application object in its home directory and this is from microsoft supplement documentation i code an application has one application object in its home directory that is referenced by one or more service principles in each of the directories where it operates including the applications from that service principles that is enterprise applications are instances of the applications and usually are the ones that we are interested in why because they can have access to azure resources now there is there are many interesting things in enterprise applications one such thing is client secret an application object supports multiple client secrets called application passwords a user that is owner or have application administrator role over an application can add an application password or if we can get an application password like the mail or a client secret to the way we got in our lab that is let's say from an application backup in any such case such a password can be used to log into a tenant as a service principle and mfa that is multi-factor authentication and cp conditional access policies are usually not applied on a service principle i have absolutely never seen that right that is about enterprise applications and that is what we abused to connect to the tenant now key vaults what are keywords keyword a keyword is the uh it's the azure service for storing secrets like passwords connection strings certificates private keys that is as the name suggests it is a wallet you should be very careful while providing access to a keyboard it is a place where you would have secret store if you have access to a keyword expect goodies expect candies right now if we have the right permissions and access azure resources that support managed identities like vms app services functions containers etc can securely retrieve secrets from the keyboard object types that are available within a keyword are cryptographic keys like rsa or elliptical curve etc secrets like passwords connection strings that is text-based secrets these secrets is text certificates a keyword can not only store a certificate they can have a life cycle management they can create revoke renew a certificate and also storage account keys could be available that is a keyword can manage and rotate access keys for storage accounts all of these interesting things are available in a keyword now just like storage accounts and many other services a key vault must have a globally unique identifier so some it is something like this and therefore all the objects as well https vault name vault.azure.net is something is is the main url or the base and vault name is what you have you must have unique global then there is object type it could be skis secrets or certificates and then there is object name object name must be unique within the keyword no need to have it unique globally thankfully and then there is an optional object version so why are we discussing this not applicable right away in our lab but could be useful to find out keywords i mean personally you would never ever find a keyword you should never ever find a keyword this i'm not even sure if it is it would be possible to find it out and you can enumerate it but of course as far as i know you cannot access it this way but still pretty useful to know now how is the access to a keyword managed like any other storage like even in case of storage accounts it is managed the same way there are two planes management plane and data plane in case of a management plane it is used to manage the keyboard and its access policies that is who who would have access to the keyword it is the data plane that manages access to the data store that is keys secrets and certificates the data plane supports both key vault and azure rpg so if we notice this user as the global administrator if we take a look at the keyword break glass vault here or any key word for that matter you would see that so what what do we mean by the management plane that's the access control i am here that controls the access to the keyword not to the data stored in it so you can see that the user retail admin has keyword administrator here and owner here and pim admin has open admin role here a custom role so this is the management plan now data plane is this if you see under the settings blade there is this access policies this is what the data plane is now in case of the data plane you can either have the azure are back role as we have configured here and that is what is recommended but you can also have world access policy i mean this was i believe i did just recently but a few months back or a year back prior to that it was always only the vault access policy now in case of vault access policy you can specify access to each object type for example for the keys you can have permissions like these for the secrets you can have permissions to read them list them whatsoever and same goes for the certificates and then you specify a principle but of course this is more prone to misconfigurations because there is a second level of different policies here so therefore our back is what microsoft recommends these are the different secrets that are stored for example if we go to the secret step i don't think the current domain the global administrator has the privileges to access it so they won't be able to access the data plane all right however please keep this in mind because the current user is a global administrator they can if let's say someone wants to abuse this they can simply go to subscription add owner or whatever right they want to themselves and then it will be inherited by the keyword as it is done here for the other global administrator the retail admin all right so please don't think that something can stop a global administrative things like this petty things like this right and yes as i was saying please note that a role like a contributor that has permissions in the management plan to manage access policies can get access to the secrets by moving from management to data so now how do we use or abuse it for a little moment if we can compromise a security principle that has the permissions to read secrets from a keyboard we can of course get access to probably more resources one very important thing to note here is it is not possible to control access to individual objects that is if let's say user is given access to read all the certificates in a keyboard they can read all the certificates it is not possible to provide them access only to a single certificate in the world you either have access to all the object types or you do not have access at all for that object so any overly permissive access policy may result in access to data or if you compromise the right user that would also result in access to the data stored in the keyword that is what our last learning objective is check if the enterprise application ping has permission to access a keyboard in retail cop that is flag 9. we actually moved a bit ahead yes we the user does have access to the service which does have access to a keyword that is flag 9 flag 10 abuse the permissions to read a secret from the keyword this contains the answer to flag 10. that is how do we read the secrets simply can append because we have the permissions to do so as plain text at the end of it and we would get access to the secret and that is the final flag like 10 for the learning objective and yep that would be all for the class please feel free to ask questions please provide feedback make people know about this so a lot of hard work has gone to create this class right i mean it looks like that it is a there's a free class i mean it is but for us it was it was not free a lot of hard work has gone here make sure that you can spread word about it uh there is a lot i mean in my opinion there is a lack of quality azure security training so at least this is something if you cannot afford a paid class from us or from anyone else i mean not second selling anything here but if you cannot refer the class from us or anything else at least use this as a start you can follow me once again on twitter i'm nick underscore my double t if required if you want you can directly reach out to me on nikhil security.com yeah buy buy more from us just visit our website etc and of course if you are watching this later on make sure that you join our discord that is something that i use the most for all announcements that end twitter that's what we're going to do right so that would be all any questions please or comments thanks a lot for all the uh all the good comments i mean there are no bad comments i could see right now so thanks a lot for all the kind words all right so i will just read out uh some good comments so that i can me and my team we can we can stay motivated so for example uh what a great course greetings from panama thanks a lot i really appreciate all your work you could have done thousands of other things but you have learnt how to teach this thank you thanks a lot so why i'm reading this out that once in a while there would be a comment that uh takes us off our feet so that is why i'm reading these so that me and my team that can stay motivated yes i feel that i mean to be honest and that is what i would say i mean a lot of many of you could not give were not able to access the live session but if you could see there was at no point of time there were more than 200 live users in our session some people simply registered and then forgot so but that happens expect the same uh level of enthusiasm from me when i'm answering the questions on discord however i've tried my best to include all the learning aids already in the uh in the lab portal i will share and this this is something that you may like to listen to carefully i will share the recording in the lab portal as soon as that is possible that that is initiated with us so zoom takes usually at least half an hour or an hour depending on the length of the meeting to share it as soon as it is shared we'll upload it on our lab portal and then you can access it thanks a lot everyone thanks a lot those of you who are uh thanking me for the time and effort yes it was it was a lot of time and effort so thank you so much can we have a lab access for few more days to practice uh you can have it it is all for you i mean we do not limit access so it is there for you thanks a lot for that dexter so is there any other question anything about the completion certificate or something else no more questions will we get a completion certificate yes but for that uh go to the completion certificate tab here in the lab button and you have to submit the 10 flags that have covered in the learning objectives and then yes you will get a completion certificate and a verifiable badge thanks wolfman nice to see you again as for all of my past two students who showed up here i recognized many of you couldn't address everyone right away but i recognize a lot of you just by your handles is this session a subset of cartp i would say a very small subset of a lot of it in the enumeration part i would say so for example we do cover dynamic groups storage accounts keyboards there as well so yep you can think of it as what a small subset of it but the lab is super big compared to this of course thanks a lot all right so with this i think i should stop the class okay couple of more questions showed up is it is this a prerequisite for az9 and okay for crtp is ac900 or prerequisite i would not say so i mean it helps but i do not expect you to have that any plans for cartp bootcamps post april 2020 so i believe i believe i mean that's too far in the future but there are no chances to though there are no plans to stop the classes so there should be one do we have access to the slides no unfortunately that would not be there can we get a list of the tools required for azure id pen testing i think um infosec quick please search the message history i think dexter shared a list of tools that you can use many days of labs will be there there is no limitation feel free to use it as long as you want when will be the boot camp on crtb there is one schedule in january at least one would be there all right then so let me stop this and thank you so much for all the support and showing up and let's stay in touch this is uh this discord is it's not bound to a particular training so let's keep discussing azure security and everything else here right thanks a lot then bye

Info

Channel: Altered Security

Views: 8,592

Rating: undefined out of 5

Keywords: Azure, AzureAD, Altered Security, AltSec, Information Security, Pentesting, RedTeaming, Penetration Testing, RedTeam, Education

Id: 5dVSHuCEG2w

Channel Id: undefined

Length: 200min 13sec (12013 seconds)

Published: Sun Dec 19 2021