Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Andy Robbins Profile picture
@_wald0
Feb 25, 2022 15 tweets 9 min read Read on X
Scrolly
There has never been a better time than right now to get involved with Azure security research.

Not convinced yet? Let's compare where we are with Azure versus where we are with on-prem AD: 🧵
Active Directory initially came out in December of 1999. Now it's 2022. What's happened between then and now? Image
We actually had pass-the-hash before AD came out, but it wasn't really made practical until @hernano released the PTH Toolkit in 2007, nearly 8 years after AD's release: Image
2011 gave us Mimikatz by Benjamin Delpy (@gentilkiwi), 2012 gave us Responder by Laurent Gaffié (@PythonResponder). Two tools that are still used every day by every pentest shop a full decade after they came out: Image
Tim Medin (@TimMedin) gave us Kerberoasting in 2014 - FIFTEEN YEARS after AD came out. Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_) published their ADCS whitepaper and tooling just last year: Image
What do these tools and techniques all have in common?

✅ - They all came out several years after AD's initial release
✅ - They have all stood the test of time and are all still used on a daily basis
✅ - NONE of them are "exploits" - they are abuses and abuse tooling
What about Azure? Technically, Azure initially came out in 2008. For an apples-to-apples comparison, let's put 2022 in the middle of our Azure timeline: Image
In 2018, a full ten years after Azure's initial release, Karl Fosaaen (@kfosaaen) gave us Microburst: Image
2020 gave us PowerZure by Ryan Hausknecht (@Haus3c), Stormspotter by Leron Gray (@mcohmi), and ROADtools by Dirk-jan Mollema (@_dirkjan): Image
We are still in the early days of Azure security research. Compare where we are in 2022 with Azure compared to where we were in 2011 with AD: Image
There are OCEANS of attack research opportunity in Azure. We are not even CLOSE to done. Who knows what the next 10 years might bring?
This isn't a controversial opinion - quite the opposite, as the results of this poll show:
Ok. So you want to get involved. What do you do?

First, read this blog post by @JohnLaTwC: medium.com/@johnlatwc/def…

John's post, for me, argues very effectively for the value attack research provides for defense:
Second, catch up by reading everything written by these people:

@kfosaaen, @asegunlolu, @inversecos, @_dirkjan, @olafhartong, @DrAzureAD, @joslieben, @DebugPrivilege, @mariussmellum, @PyroTek3, @Haus3c
Third, consider watching my talk at @1ns0mn1h4ck next month, where I will try to give you my best walk-through of my own abuse research methodology that you can use and improve: insomnihack.ch/register/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andy Robbins

Andy Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

Andy Robbins Profile picture
Feb 17, 2023
This week I added 5 new functions to #BARK. A quick thread explaining each one with examples:
Get-ServicePrincipalOwner

List the current owner(s) of a specified #Azure AD Service Principal.

Example:
New-ServicePrincipalOwner

Add a new owner to an AAD Service Principal. Owners can add credentials to SPs and then auth as them.

Example:
Read 8 tweets
Andy Robbins Profile picture
Feb 16, 2023
Azure App Service Web Apps are yet another #Azure service that supports managed identity assignments.

Here's how attackers can use #BARK to abuse those assignments: Image
There are at least 3 ways to achieve code execution on an Azure App Service Web App ("Azure Web App" from here on) instance:

1. The Kudu shell execution API endpoints
2. Poison deployment to include a web shell in the app
3. Find a cmd execution vulnerability in the deployed app
We'll focus on #1 - abusing the built-in Kudu shell execution endpoints.

This is the feature the Azure GUI uses as its "Debug Console" and is documented here: github.com/projectkudu/ku…

@kfosaaen discussed this in his August 2020 blog post here: netspi.com/blog/technical… Image
Read 9 tweets
Andy Robbins Profile picture
Feb 4, 2023
Interest check: should I continue developing this research? Read my notes here and please let me know if you think this is worth pursuing further.

Problem: attackers have been moving their C2 channels to legitimate services to evade detection, slip through block lists, etc.
Examples:

github.com/boku7/azureOut…
3xpl01tc0d3r.blogspot.com/2020/03/introd…

Defenders and vendors have to play catch-up whenever one of these novel C2 methods becomes popular.
I believe it's possible to proactively, semi-automatically discover these methods in existing and emerging cloud services. We can assess their attractiveness to attackers, vendors can make them less attractive and prioritize their own detection efforts.

How?
Read 15 tweets
Andy Robbins Profile picture
Sep 20, 2022
#Azure Managed Identity assignments are "secure by default."

Dangerous attack paths can emerge around these assignments.

Here's those attack paths emerge, how attackers abuse them, and how defenders can eliminate them: 🧵
First we should understand what Managed Identities are. I think the best way is to understand the problem they are designed to solve.

We have a great recent example of this problem from the alleged Uber breach, where a PowerShell script may have been storing plain text creds:
This problem is not new and not surprising to many people:
Read 25 tweets
Andy Robbins Profile picture
Sep 13, 2022
Tiered Administration is among the strongest security controls that exist.

But the vast majority of organizations do not use it.

Here is how you can get started using Tiered Administration TODAY in your #Azure environments: 🧵
First, understand the problem we are trying to solve with Tiered Administration:

Tiered Administration protects your most privileged assets from compromise in the event that less privileged assets are compromised.

It's the wombo combo of least privilege and defense in depth.
Do Tiered Administration effectively and you DRAMATICALLY reduce risks posed by ransomware actors, insider threats, etc.

Most efforts get stuck in the very first step: identifying which assets go into which tiers.

Here's how you do this:
Read 11 tweets
Andy Robbins Profile picture
Aug 25, 2022
How to prevent Kerberoasting:

Kerberoasting is an incredibly powerful and reliable attack against Active Directory. In some situations it can result in an attacker becoming Domain Admin nearly instantaneously.

Here's how to prevent this attack: 🧵 Image
First we need to identify Active Directory users that are "kerberoastable" - possible targets for the attacker to choose to Kerberoast.

Kerberoast relies on a user having some value in their "serviceprincipalnames" attribute.

Find all of them instantly with no 3rd party tools:
dsquery has been built in to Windows Server since Server 2008. You also get it when installing RSAT.

Here's the command:

dsquery * "dc=contoso,dc=com" -filter "(&(objectcategory=user)(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(