Where do #Azure attack paths come from? Attack paths that abuse (mis)configurations generally emerge from two types of control in Azure: explicit control and implicit control.
Let's see what that means and how you as a defender can eliminate the most dangerous paths:🧵
Explicit control means there is a one-to-one control relationship clearly defined on the controlled object. For example, Azure Users can be made explicit owners of Azure Service Principals:
David owns MyCoolAzureApp, meaning David can add a new credential to that Service Principal and authenticate as it, taking over the identity.
But this explicit configuration does not exist in isolation: there are paths INTO the user OUT of the SP:
For example, let's say the SP has been granted an AzureAD admin role:
Because of the *explicit* control relationship between David and the SP, an attack path has emerged connecting David to the Cloud App Admin role:
That's explicit control. Implicit control is one-to-many control that's implied through, for example, AzureAD admin roles.
Let's look at Cloud App Admin as an example. The "MyCoolAzureApp" SP has that role. But there are other SPs in the tenant as well:
When this role assignment is scoped to the tenant (as opposed to a specific SP or app), the assignee gains control of ALL apps and SPs in the tenant. "MyCoolAzureApp" can add new secrets to these other SPs:
This combination of explicit and implicit control makes no difference to the adversary, who sees attack paths, not individual lists of configurations:
As a defender, you will get the biggest bang for your buck in eliminating such attack paths by taking the following steps:
1. Remove any AzureAD admin role assignments where an SP has been granted Global Admin, Privileged Role Admin, or Privileged Auth Admin
2. Remove any MS Graph app role assignment where an SP has been granted AppRoleAssignment[.]ReadWrite[.]All or RoleManagement[.]ReadWrite[.]Directory
3. Alert on any SP being granted one of the above AzureAD admin roles or MS Graph app roles.
Doing those 3 things will dramatically reduce your attack path risks in Azure.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
One year ago this week I published The Attack Path Management Manifesto, which you can read here: medium.com/p/3a3b117f5e5
It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
Adversaries have been abusing identity-based attack paths -- in particular those that emerge in Active Directory environments -- for over 20 years. Why? There are three major reasons:
1. Active Directory is the FOUNDATION upon which all identity and access in the enterprise is built. Your workstation? AD auth. Your CI/CD pipeline? AD via ADFS. Your network devices? AD via RADIUS.
Control the foundation and you control the enterprise.
"...this case does not meet the bar for servicing by MSRC and we will be closing this case..."
and:
"...This is considered by-design..."
A quick thread on what the "issue" is and why MSRC is right 🧵
While preparing for my @WWHackinFest talk, I was creating demo videos showing Managed Identity abuse primitives in various Azure services. For example, you can remotely extract the JWT for a VM's managed identity like this:
My abuse primitive demo for Logic Apps was a little different: I was using the Logic App to add a secret to another Service Principal, then capturing the output in the Logic App, showing the other Service Principal's new key credential in plain text:
Yesterday in my webinar on ACR Task abuse, I shared this slide with the question, "What privileges are needed to bridge this trust boundary?"
A thread about the differences between Explicit and Emergent IDP Trusts: 🧵
In its default state, an Azure tenant enforces a trust boundary around itself. The Azure Security Token Service (STS) for this tenant will only authenticate principals within this tenant. In other words: only users in your tenant can access anything in your tenant.
"Global Admins" and "External Identity Provider Administrators" can configure various types of Explicit Trusts with other Identity Providers (IDPs), and then allow foreign users to access resources in the tenant:
Users in Azure deserve attention from attackers and defenders. But Service Principals deserve as much attention, and actually maybe deserve much more attention than users. A quick thread on why, and resources for attackers and defenders:
First, the password reset system in Azure has tiered administration baked into it. Only your T0 users can reset T0 users' passwords:
The #BloodHoundEnterprise team's working culture, as explained by Marcus Aurelius, a short thread: 🧵
“The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane.”
We are not afraid of challenging the status quo and doing things radically different than what came before.
“If someone is able to show me that what I think or do is not right, I will happily change, for I seek the truth, by which no one was ever truly harmed. It is the person who continues in his self-deception and ignorance who is harmed.”