Showing posts from October, 2021

How to Backdoor Azure Applications and Abuse Service Principals

If an attacker gains access to an Azure tenant (with sufficient permissions) they can add a “secret” or a “certificate” to an application. This will allow an attacker single-factor access to Azure allowing the attacker to persist within the client environment. Further, each application that exists within an Azure tenant has a service principal automatically assigned/created. This happens every time an application is registered within an Azure portal. A service principal account is basically an identity that’s used by applications, tools to access resources / perform automated actions.   Attackers want to target service principals because: Service accounts and service principals do not have MFA Attackers can log into Azure using a service principal account These accounts exist with all applications in Azure (most companies have several)  These accounts cannot be controlled through conditional access This blog post is going to show you how to create / register an application within an Az

Hunting for Citrix Netscaler API Abuse: Reconnaissance, SSO and Session Manipulation

I worked a case recently where unauthenticated threat actors were able to access and perform reconnaissance and session manipulation in Citrix via API requests. These threat actors proceeded to abuse single-sign-on (SSO) for access. As such, I wrote this blog post to highlight some of the things to be aware of when hunting through Citrix logs that can hopefully help some security analysts when they're performing their threat hunts / investigations. Please note, how and whether this works depends on your clients Citrix configuration and settings. The reason why this is interesting to someone in a blue team is because an unauthenticated attacker could potentially (depending on the Citrix configuration) do the following: Enumerate resources available to a user i.e. what hosts they have access to and what method Force sessions to last longer without signing the attacker out Detect what methods of authentication are utilised (5 documented) and if SSO is enabled Abuse SSO for access to r

Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II

In my previous blog post, I detailed an attack matrix for Microsoft 365 (M365), documenting the various attacks and actions on objectives that can be taken by threat actors. My original matrix did not touch on some other hybrid attacks that can happen on Azure AD which are relevant to the Microsoft Cloud environment. As such, I have modified and updated the attack matrix below to show all the various attacks collated into one matrix. For those of you who are not familiar with M365 or Azure AD (AAD), the reason I built this matrix is because the Mitre O365 matrix did not include a comprehensive list of all the various attack vectors. To be a good responder / defender, it’s important to understand the different types of attacks that your organisation or client may be plagued with. Attacks on Azure AD and M365 are not limited to simple business email compromise cases (BECs) but are now actively being exploited by nation-state APT groups. The reason that these actors choose the cloud as