This week I added 5 new functions to #BARK. A quick thread explaining each one with examples: Get-ServicePrincipalOwner

List the current owner(s) of a specified #Azure AD Service Principal.

Example:

Azure App Service Web Apps are yet another #Azure service that supports managed identity assignments.

Here's how attackers can use #BARK to abuse those assignments: There are at least 3 ways to achieve code execution on an Azure App Service Web App ("Azure Web App" from here on) instance:

1. The Kudu shell execution API endpoints
2. Poison deployment to include a web shell in the app
3. Find a cmd execution vulnerability in the deployed app

Interest check: should I continue developing this research? Read my notes here and please let me know if you think this is worth pursuing further.

Problem: attackers have been moving their C2 channels to legitimate services to evade detection, slip through block lists, etc. Examples:

github.com/boku7/azureOut…
3xpl01tc0d3r.blogspot.com/2020/03/introd…

Defenders and vendors have to play catch-up whenever one of these novel C2 methods becomes popular.

#Azure Managed Identity assignments are "secure by default."

Dangerous attack paths can emerge around these assignments.

Here's those attack paths emerge, how attackers abuse them, and how defenders can eliminate them: 🧵 First we should understand what Managed Identities are. I think the best way is to understand the problem they are designed to solve.

We have a great recent example of this problem from the alleged Uber breach, where a PowerShell script may have been storing plain text creds:

Tiered Administration is among the strongest security controls that exist.

But the vast majority of organizations do not use it.

Here is how you can get started using Tiered Administration TODAY in your #Azure environments: 🧵 First, understand the problem we are trying to solve with Tiered Administration:

Tiered Administration protects your most privileged assets from compromise in the event that less privileged assets are compromised.

It's the wombo combo of least privilege and defense in depth.

How to prevent Kerberoasting:

Kerberoasting is an incredibly powerful and reliable attack against Active Directory. In some situations it can result in an attacker becoming Domain Admin nearly instantaneously.

Here's how to prevent this attack: 🧵 First we need to identify Active Directory users that are "kerberoastable" - possible targets for the attacker to choose to Kerberoast.

Kerberoast relies on a user having some value in their "serviceprincipalnames" attribute.

Find all of them instantly with no 3rd party tools:

Take a close look at BARK's functions and you will see that most of them are simple wrappers around basic REST API calls. This means it's very easy to extend BARK.

For example, BARK is missing a function to list virtual machines. Here's how easy this is to add: 🧵 Let's look at an existing function that lists objects in AzureRM, "Get-AllAzureRMResourceGroups":

Problem: you want to collect data with AzureHound but you can't use simple username/password because your user:

❌ - Requires MFA
❌ - Can't auth due to a CAP
❌ - Is a guest/federated user in the target tenant

Solution: refresh tokens! Sounds scary and new? They're EASY: 🧵 There are MANY ways to get your hands on a refresh token, but I think by far the simplest is by using the OAuth 2.0 device code flow.

Sounds complicated but it's a very easy three-step process:

From initial access to Global Admin with #BloodHound and BARK.

In this thread let's walk, step by step, through an example attack path based on real configurations we've seen in real environments: There are MANY ways to achieve initial access into AzureAD. For this example we will go with something simple: we were able to phish a user and get their username and clear text password.

This user has no MFA/CAP restrictions - we'll discuss how to deal with these later.

If you're like me, you are angry and disappointed at SCOTUS striking down Roe v Wade. You might also be exhausted and feel defeated.

Here are three things you can do RIGHT NOW to help defend women's rights in the United States. This will take you THREE minutes. Do these NOW: 🧵 First and most importantly, contact your congressional rep and tell them you support the Women's Health Protection Act, which will protect abortion access for every person in every state.

THIS FORM TAKES 30 SECONDS TO COMPLETE: actforwomen.org/take-action/

Where do #Azure attack paths come from? Attack paths that abuse (mis)configurations generally emerge from two types of control in Azure: explicit control and implicit control.

Let's see what that means and how you as a defender can eliminate the most dangerous paths:🧵 Explicit control means there is a one-to-one control relationship clearly defined on the controlled object. For example, Azure Users can be made explicit owners of Azure Service Principals:

One year ago this week I published The Attack Path Management Manifesto, which you can read here: medium.com/p/3a3b117f5e5

It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can: Adversaries have been abusing identity-based attack paths -- in particular those that emerge in Active Directory environments -- for over 20 years. Why? There are three major reasons:

MSRC came back on my case and said:

"...this case does not meet the bar for servicing by MSRC and we will be closing this case..."

and:

"...This is considered by-design..."

A quick thread on what the "issue" is and why MSRC is right 🧵 While preparing for my @WWHackinFest talk, I was creating demo videos showing Managed Identity abuse primitives in various Azure services. For example, you can remotely extract the JWT for a VM's managed identity like this:

Neo4j's cypher query language can seem strange at first, but it starts to make sense once you realize one simple thing:

It's ASCII art.

A quick thread on some very basic cypher concepts: 🧵 Nodes and edges are the two foundational building blocks of a graph. Nodes have labels (User, Group), and edges have types (MemberOf):

Yesterday in my webinar on ACR Task abuse, I shared this slide with the question, "What privileges are needed to bridge this trust boundary?"

A thread about the differences between Explicit and Emergent IDP Trusts: 🧵 In its default state, an Azure tenant enforces a trust boundary around itself. The Azure Security Token Service (STS) for this tenant will only authenticate principals within this tenant. In other words: only users in your tenant can access anything in your tenant.

Users in Azure deserve attention from attackers and defenders. But Service Principals deserve as much attention, and actually maybe deserve much more attention than users. A quick thread on why, and resources for attackers and defenders: First, the password reset system in Azure has tiered administration baked into it. Only your T0 users can reset T0 users' passwords:

https://twitter.com/_wald0/status/1493263809074503682

The #BloodHoundEnterprise team's working culture, as explained by Marcus Aurelius, a short thread: 🧵 “The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane.”

We are not afraid of challenging the status quo and doing things radically different than what came before.

This thread is absolutely chock full of real stories about really dangerous configurations.

But instead of seeing and blaming the *people* behind those stories, we should be identifying and understanding the *patterns* in these stories.

Some quick thoughts in this thread: 🧵

https://twitter.com/_wald0/status/1502475482004041730

There are 3 major reasons I see why we should not be blaming the people behind these dangerous configurations:

First: It doesn't help. Honestly, what evidence do we have that screeching at admins to do "the basics" has created positive outcomes?

There has never been a better time than right now to get involved with Azure security research.

Not convinced yet? Let's compare where we are with Azure versus where we are with on-prem AD: 🧵 Active Directory initially came out in December of 1999. Now it's 2022. What's happened between then and now?

In Windows and Active Directory, there is one system responsible for making access decisions in nearly *all* cases: the Security Reference Monitor. This system makes access decisions by analyzing security descriptors on securable objects and User Rights Assignments: In "Azure", the story is very, very different. There are multiple forms of access control, and multiple services responsible for making access decisions.

"Azure" means the 600+ distinct services that comprise Microsoft's cloud computing platform.

New abuse primitives that take advantage of legitimate administrative protocols and features are wildly exciting. Why? Because no object is an island. Everything is interconnected, and that interconnectedness can have enormous impact. Thread: 🧵 You may or may not be familiar with the childrens' book, "If You Give a Mouse a Cookie:"