Share this page!

Maybe Scrolly?
Andy Robbins Profile picture
Twitter logo
Jun 1 11 tweets 3 min read
Where do #Azure attack paths come from? Attack paths that abuse (mis)configurations generally emerge from two types of control in Azure: explicit control and implicit control.

Let's see what that means and how you as a defender can eliminate the most dangerous paths:🧵
Explicit control means there is a one-to-one control relationship clearly defined on the controlled object. For example, Azure Users can be made explicit owners of Azure Service Principals: Image
David owns MyCoolAzureApp, meaning David can add a new credential to that Service Principal and authenticate as it, taking over the identity.

But this explicit configuration does not exist in isolation: there are paths INTO the user OUT of the SP: Image
For example, let's say the SP has been granted an AzureAD admin role: Image
Because of the *explicit* control relationship between David and the SP, an attack path has emerged connecting David to the Cloud App Admin role: Image
That's explicit control. Implicit control is one-to-many control that's implied through, for example, AzureAD admin roles.

Let's look at Cloud App Admin as an example. The "MyCoolAzureApp" SP has that role. But there are other SPs in the tenant as well: Image
When this role assignment is scoped to the tenant (as opposed to a specific SP or app), the assignee gains control of ALL apps and SPs in the tenant. "MyCoolAzureApp" can add new secrets to these other SPs: Image
This combination of explicit and implicit control makes no difference to the adversary, who sees attack paths, not individual lists of configurations: Image
As a defender, you will get the biggest bang for your buck in eliminating such attack paths by taking the following steps:

1. Remove any AzureAD admin role assignments where an SP has been granted Global Admin, Privileged Role Admin, or Privileged Auth Admin
2. Remove any MS Graph app role assignment where an SP has been granted AppRoleAssignment[.]ReadWrite[.]All or RoleManagement[.]ReadWrite[.]Directory
3. Alert on any SP being granted one of the above AzureAD admin roles or MS Graph app roles.

Doing those 3 things will dramatically reduce your attack path risks in Azure.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andy Robbins

Andy Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

Andy Robbins Profile picture
May 27
One year ago this week I published The Attack Path Management Manifesto, which you can read here: medium.com/p/3a3b117f5e5

It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
Adversaries have been abusing identity-based attack paths -- in particular those that emerge in Active Directory environments -- for over 20 years. Why? There are three major reasons:
1. Active Directory is the FOUNDATION upon which all identity and access in the enterprise is built. Your workstation? AD auth. Your CI/CD pipeline? AD via ADFS. Your network devices? AD via RADIUS.

Control the foundation and you control the enterprise.
Read 25 tweets
Andy Robbins Profile picture
May 25
MSRC came back on my case and said:

"...this case does not meet the bar for servicing by MSRC and we will be closing this case..."

and:

"...This is considered by-design..."

A quick thread on what the "issue" is and why MSRC is right 🧵
While preparing for my @WWHackinFest talk, I was creating demo videos showing Managed Identity abuse primitives in various Azure services. For example, you can remotely extract the JWT for a VM's managed identity like this:
My abuse primitive demo for Logic Apps was a little different: I was using the Logic App to add a secret to another Service Principal, then capturing the output in the Logic App, showing the other Service Principal's new key credential in plain text:
Read 10 tweets
Andy Robbins Profile picture
Apr 29
Neo4j's cypher query language can seem strange at first, but it starts to make sense once you realize one simple thing:

It's ASCII art.

A quick thread on some very basic cypher concepts: 🧵
Nodes and edges are the two foundational building blocks of a graph. Nodes have labels (User, Group), and edges have types (MemberOf): Image
Consider the following graph, which we will use to explore patterns with cypher: Image
Read 9 tweets
Andy Robbins Profile picture
Apr 21
Yesterday in my webinar on ACR Task abuse, I shared this slide with the question, "What privileges are needed to bridge this trust boundary?"

A thread about the differences between Explicit and Emergent IDP Trusts: 🧵 Image
In its default state, an Azure tenant enforces a trust boundary around itself. The Azure Security Token Service (STS) for this tenant will only authenticate principals within this tenant. In other words: only users in your tenant can access anything in your tenant.
"Global Admins" and "External Identity Provider Administrators" can configure various types of Explicit Trusts with other Identity Providers (IDPs), and then allow foreign users to access resources in the tenant: Image
Read 13 tweets
Andy Robbins Profile picture
Apr 11
Users in Azure deserve attention from attackers and defenders. But Service Principals deserve as much attention, and actually maybe deserve much more attention than users. A quick thread on why, and resources for attackers and defenders:
First, the password reset system in Azure has tiered administration baked into it. Only your T0 users can reset T0 users' passwords:
That system is amazingly effective at preventing the existence of password reset based attack paths.

But attack paths involving adding new service principal credentials can and do emerge.

And nowhere are those attack paths more difficult to audit than when they involve MIs
Read 12 tweets
Andy Robbins Profile picture
Mar 18
The #BloodHoundEnterprise team's working culture, as explained by Marcus Aurelius, a short thread: 🧵
“The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane.”

We are not afraid of challenging the status quo and doing things radically different than what came before.
“If someone is able to show me that what I think or do is not right, I will happily change, for I seek the truth, by which no one was ever truly harmed. It is the person who continues in his self-deception and ignorance who is harmed.”

Every week we have "Demo/Retro", which...
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(