Share this page!

Andy Robbins Profile picture
Twitter logo
Apr 11 12 tweets 4 min read
Users in Azure deserve attention from attackers and defenders. But Service Principals deserve as much attention, and actually maybe deserve much more attention than users. A quick thread on why, and resources for attackers and defenders:
First, the password reset system in Azure has tiered administration baked into it. Only your T0 users can reset T0 users' passwords:
That system is amazingly effective at preventing the existence of password reset based attack paths.

But attack paths involving adding new service principal credentials can and do emerge.

And nowhere are those attack paths more difficult to audit than when they involve MIs
MIs are managed identities - a way for an Azure resource to authenticate to other Azure services, without needing to know any passwords.

Say for example you want to run a VM in Azure. Your initial setup will look like this:
The subscription has a trust relationship with AzureAD. But unlike vanilla on-prem AD, this trust relationship does NOT restrict direction of access.

Now let's establish a managed identity for the VM, so the VM itself can access Azure resources:
So far so good, we haven't introduced any dangerous configurations yet.

Now let's introduce a user into the mix, and we'll give that user control of the Resource Group above the VM:
Because role assignments always inherit down to all descendent objects in Azure, the User gains control not only of the resource group, but also of the VM.

And because the User controls the VM, an attack path (in red) has emerge connecting the User to the Service Principal:
Two disparate, seemingly unconnected configurations have created an attack path that may lead to escalation of privilege. This is classic "list-based" versus "graph-based" thinking.

Here's what defenders should do about this:
First, understand that any managed identity assignment can turn an Azure resource (like a VM) into a Tier Zero object, if the Service Principal is Tier Zero. And because Azure role assignments inherit down, that makes the ENTIRE subscription Tier Zero:
Second, read this guidance from @inversecos on detecting malicious backdoors around automation accounts, which themselves revolve around service principals: inversecos.com/2021/12/how-to…
Third: if you have a P2 license, use Microsoft's access review feature to keep track of dangerous role assignments being granted to service principals: docs.microsoft.com/en-us/azure/ac…
Finally, consider joining me on this webinar next week, where I will show you how #BloodHoundEnterprise brings Attack Path Management to Azure: specterops.zoom.us/webinar/regist…

I will also introduce and demonstrate two new abuse primitives in Azure which abuse managed identities.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andy Robbins

Andy Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

Andy Robbins Profile picture
Mar 18
The #BloodHoundEnterprise team's working culture, as explained by Marcus Aurelius, a short thread: 🧵
“The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane.”

We are not afraid of challenging the status quo and doing things radically different than what came before.
“If someone is able to show me that what I think or do is not right, I will happily change, for I seek the truth, by which no one was ever truly harmed. It is the person who continues in his self-deception and ignorance who is harmed.”

Every week we have "Demo/Retro", which...
Read 7 tweets
Andy Robbins Profile picture
Mar 14
This thread is absolutely chock full of real stories about really dangerous configurations.

But instead of seeing and blaming the *people* behind those stories, we should be identifying and understanding the *patterns* in these stories.

Some quick thoughts in this thread: 🧵
There are 3 major reasons I see why we should not be blaming the people behind these dangerous configurations:

First: It doesn't help. Honestly, what evidence do we have that screeching at admins to do "the basics" has created positive outcomes?
Second: Don't forget where you came from. No one is born with all the knowledge needed to avoid these mistakes. What you see as "basic", someone else sees as secret arcane knowledge. A little empathy goes a long way here.
Read 12 tweets
Andy Robbins Profile picture
Feb 25
There has never been a better time than right now to get involved with Azure security research.

Not convinced yet? Let's compare where we are with Azure versus where we are with on-prem AD: 🧵
Active Directory initially came out in December of 1999. Now it's 2022. What's happened between then and now? Image
We actually had pass-the-hash before AD came out, but it wasn't really made practical until @hernano released the PTH Toolkit in 2007, nearly 8 years after AD's release: Image
Read 15 tweets
Andy Robbins Profile picture
Feb 21
In Windows and Active Directory, there is one system responsible for making access decisions in nearly *all* cases: the Security Reference Monitor. This system makes access decisions by analyzing security descriptors on securable objects and User Rights Assignments:
In "Azure", the story is very, very different. There are multiple forms of access control, and multiple services responsible for making access decisions.

"Azure" means the 600+ distinct services that comprise Microsoft's cloud computing platform.
Understanding who has control of any given object in any given Azure service requires a complete understanding of *all* of these systems and how they cooperate with one another.
Read 4 tweets
Andy Robbins Profile picture
Feb 15
New abuse primitives that take advantage of legitimate administrative protocols and features are wildly exciting. Why? Because no object is an island. Everything is interconnected, and that interconnectedness can have enormous impact. Thread: 🧵
You may or may not be familiar with the childrens' book, "If You Give a Mouse a Cookie:" Image
It's a classic children's moral illustrating the slippery slope idea:

If you give a mouse a cookie, it will ask for a glass of milk.
But it's too hard to drink the milk, so now the mouse wants a straw.
The mouse is worried it has a milk mustache, so now it wants a mirror.

etc
Read 12 tweets
Andy Robbins Profile picture
Jan 20
In the upcoming #BloodHound 4.1 release, we are introducing 3 new edges. Let me explain why this is actually more impactful than it may sound: 🧵
Let's say you have a basic graph with 3 nodes all connected to each other (this is called a Strongly Connected Graph). We'll call these nodes 1, 2 and 3:
How many possible paths are there? We can determine that by searching through non-cyclic trees originating from each node. For example, if we start at 1, we can visit 2 then 3, or 3 then 2:
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(