Let's talk about tiered administration in AzureAD:

- What it starts with
- How it can be violated
- What you can do about that

In 10 tweets or less. Go:
1/ There are three default admin roles that belong to Tier Zero in AzureAD:

Global Admin
Priv. Role Admin
Priv. Auth Admin

Everything IN tier zero is tier zero. Everything ELSE is not tier zero has has no business controlling anything IN tier zero.
2/ These admin roles aren't of much use if you don't grant them to anyone. Let's grant a service principal the Global Admin role:
3/ If we agree that this service principal needs this role assignment, then this isn't a *violation* of tiered administration -- it is an *expansion* of the definition of tier zero in our environment:
4/ You've expanded the definition of what tier zero is to now include this service principal. Cool.

But what has control of this service principal? For starters, the Cloud App Admin role:
5/ Other things control this SP, too, but let's stay focused on this admin role to illustrate the point.

We've agreed that the SP needs GA and will be part of Tier Zero. We must now also agree that the Cloud App Admin role is a tier zero role, as well:
6/ Why must Cloud App Admin be tier zero? Because the actions allowed by this role are immutable: you cannot change them. ANYONE granted this role can control your tier zero SP now, so this role must now be considered tier zero.
7/ Now let's say we grant the Cloud App Admin role to two users: a tier zero user and a tier one user:
8/ Now we have a tiered administration violation: a tier one user has control of a tier zero object.

See this post for how an attacker can abuse this: posts.specterops.io/azure-privileg…
9/ The "all or nothing" nature of Azure AD admin roles means that the most straight-forward way to deal with this is to revoke the tier one user's Cloud App Admin role assignment
10/ You can start to find these tiered administration violations yourself today with FOSS #BloodHound: github.com/BloodHoundAD/B…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andy Robbins

Andy Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

1 Dec
Thread:

API permissions in #Azure can be configured such that attack paths leading to Global Admin emerge. Prior work and links to our work below:
Blog: Azure Privilege Escalation via Azure API Permissions Abuse posts.specterops.io/azure-privileg…
Read 7 tweets
27 Nov
Thread:

It was @JohnLaTwC who famously said:

“Attackers think in graphs. Defenders think in lists. As long as this is true, attackers win.”

If you’ve seen more than one of my talks, you might think I’m contractually obligated to include this quote in every talk I do.
This quote means a lot to me. A LOT. Graph theory, to me, almost seems like it was invented solely for the information security field. Its purpose and reach is obviously waaaaaaay further than our field, but…
… we have BARELY scratched the surface of what’s possible with applied graph theory in information security. The core feature of #BloodHound is finding the shortest path between two nodes. The algorithm this is based on was first published in 1959.
Read 13 tweets
25 Nov
There are worlds of untapped security research opportunities in Azure - growing, dynamic, and multiplying worlds. The next few years will produce amazing research. Get a head start with the following resources:
The world-class writings of @inversecos: inversecos.com/?m=1
Read 7 tweets
12 Sep
At a high level, what security-related strategies and policies should Microsoft employ over the next ten years? Here are my ideas, but I want to know what you think as well: 🧵
Number one: take radical ownership over customer security outcomes. Microsoft is already doing this with the introduction of built-in safety rails in Azure. But there’s much more opportunity here:
Historically, Microsoft has made all the tools available to admins to secure their networks: Windows firewall, device guard, application guard, etc. A well-resourced, well-financed admin can make an AD domain *amazingly secure*. But most do not.
Read 16 tweets
7 Sep
Three of the most common issues #BloodHoundEnterprise finds, their impacts, and how you can use FOSS #BloodHound to find and fix these issues yourself, today: 🧵
Issue #1: Domain Controller object ownership. This issue is *extremely* common and *extremely* dangerous when looking at attack path possibilities this opens up. This is also *extremely* easy to fix.
In FOSS #BloodHound, run this query using the "raw query" bar at the bottom:

MATCH (g:Group)
WHERE g.objectid ENDS WITH '-516'
MATCH p = (n:Base)-[:Owns]->(c:Computer)-[:MemberOf*1..]->(g)
RETURN p
Read 17 tweets
11 Aug
(1/6) One of the most powerful and valuable aspects of a red team assessment is its ability to cut straight through any pre-existing notions of a network's security posture. 🧵
(2/6) The facts of a devastating attack path, well-executed, cut through egos, politics, ineffective operational momentum, and spell it out very plainly for everyone to see: the red team got in, took control of everything, and you couldn't stop them.
(3/6) Getting your teeth kicked in like that hurts, but professional red teams know how to turn that pain into value for the customer, and help them see it as an opportunity to improve.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(