Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II

In my previous blog post, I detailed an attack matrix for Microsoft 365 (M365), documenting the various attacks and actions on objectives that can be taken by threat actors. My original matrix did not touch on some other hybrid attacks that can happen on Azure AD which are relevant to the Microsoft Cloud environment. As such, I have modified and updated the attack matrix below to show all the various attacks collated into one matrix.

For those of you who are not familiar with M365 or Azure AD (AAD), the reason I built this matrix is because the Mitre O365 matrix did not include a comprehensive list of all the various attack vectors. To be a good responder / defender, it’s important to understand the different types of attacks that your organisation or client may be plagued with. Attacks on Azure AD and M365 are not limited to simple business email compromise cases (BECs) but are now actively being exploited by nation-state APT groups. The reason that these actors choose the cloud as an attack vector comes down to the level of “access” they can get, the persistence level they can maintain, the backdoors they can install and, in a way, I think they do this because not many blue teamers / purple teamers have a strong understanding of the cloud infrastructure and most SOCs do not have pre-written detection capabilities for these attacks. All these reasons together, makes AAD and M365 very attractive attack vectors for these threat actors.

This blog post adds onto my previous blog post (which was just M365) with the various ways AAD can be attacked. I think it’s important to combine them instead of having them as separate matrices. I feel that in my general conversations with organisations / clients, SOCs are still heavily focused on traditional means of attack. It’s important that teams continuously learn and adapt to the new threat environment. Attacks on M365 and AAD have been happening for a while now and should seriously be a part of your threat detection capabilities. 


I will be working on building out comprehensive detections for each of these attacks to help some blue teams. I don’t know what format this will be in but I want to provide these detections in a tool-agnostic fashion i.e. not in the form of queries relating to a specific vendor tool. I’m not sure what format will help people the most so I’m very open to suggestions here!

Again, if you have additions that you think need to be a part of this matrix. You can either let me know on twitter (@inversecos) or hit me up on LinkedIn.


Azure AD and M365 ATTACK MATRIX

Special thanks to @DebugPrivilege, @blubbfiction for suggestions and @marcurdy for pointing out that it’s M365 ;)





Breakdown of Attacks

The following section provides a high-level explanation of the newly added Azure AD focused attacks in the matrix. I have not included any of the previous attack descriptions for M365 that were present in my previous blog post. If you want to read descriptions for M365 attacks, please refer to my previous blog post.

Reconnaissance

Enumerate Tennant Domain – There are multiple ways someone who is unauthenticated can perform reconnaissance on a domain. This can include reviewing DNS MX records or querying URIs that can allow an attacker to fetch this information. Link to Microsoft documentation


  • https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration


Enumerate Login Information – An unauthenticated attacker can query APIs that will allow them to determine if a user exists within the domain and if Desktop SSO is utilised. Knowing if SSO is enabled allows an attacker to explore further attacks on objectives. This is a great write-up about the topic. For further details about abusing GetCredentialType - check out @DrAzureAD's blog here


  • https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
  • https://login.microsoftonline.com/common/GetCredentialType


Initial Access

Password Hash Synchronisation – There are two accounts that exist in Azure AD Connect (AAD Connect) that both have high privileges. AAD Connect is utilised for syncing on-premises AD and Azure AD. As such, there are two accounts starting with “MSOL_id” and “Sync_<hostname>_id” that are created and utilised as service accounts to provide synchronisation services for sending hashes of user passwords to the cloud. Gathering these credentials allow a user to modify users and passwords and replicating domain user hashes. The attack flow works through identifying where AAD is installed and interacting with the AAD database which stores the MSOL password. @_xpn_ has a great POC that can be utilised to decrypt the password.

The tool “adconnectudmp” can be utilised to dump these credentials.
https://github.com/fox-it/adconnectdump. Gathering these credentials allow a user to modify users and passwords. 

 

Pass the Ticket (Silver Tickets) – An attacker can impersonate domain users by compromising the AZUREADSSOACC$ account. This account password can simply be dumped using Mimikatz. Mimikatz can also be utilised to create the silver ticket. This is a great write-up from DS Internals that talks through the attack flow. Once the silver is attained by an attacker it can be utilised to log into any M365 application leaving the password blank.


Pass the PRT – A primary refresh token (PRT) can be passed the same way NTM hashes can be passed to authenticate from system to system. The PRT can be extracted using ROADtools or Mimikatz given the prerequisite that an attacker has local admin privileges on the system. The PRT is generally valid for 14 days and is issued to an AAD joined / hybrid AAD joined device. More about PRT on the Microsoft website. 



Pass the Cert  MS-Organization-P2P-Access certificates are issued by Azure AD to AAD joined and hybrid joined devices. Certificate allows trust between devices within a tenant. The computer certificate is valid for a day and the user P2P certificate is also valid for a day. With the session key and the PRT (technique above), this can get an attacker a P2P certificate which can allow them to access other systems joined to the tenant. 


Compromised Valid Account – An existing valid account is utilised to log in.


Discovery

Enumerate Azure Tenants – As stated above in the reconnaissance section, there are multiple ways for someone unauthenticated or authenticated to perform discovery. 


Enumerate Azure Subscriptions – Global administrators can access all Azure subscriptions by elevating yourself to User Access Administrator. This allows them to list all the subscriptions within a tenant as a part of their discovery. This is well detailed by my colleague @DrAzureAD here.

Enumerate Conditional Access Policies – Admins are also able to use Azure Powershell to perform discovery of conditional access policies that exist. Link to Microsoft documentation here. 


Enumerate Applications – Attackers can also perform enumeration of authenticated applications or native Azure apps. 


Pass the PRT – An attained PRT allows an attacker to perform pass-the-PRT which is a similar concept to the idea of pass-the-hash attacks on premise. It allows an attacker lateral movement.  


Pass the Cert  Similar to Pass-the-PRT, pass-the-cert allows an attacker lateral movement to move to other systems which are joined to the tenant.  



Actions

Access Azure Subscriptions – As detailed by my colleague @DrAzureAD here, with global administrator rights, an attacker can elevate themselves to User Access Administrator. This will allow them to see all the subscriptions within a tenant. 


Executions of Scripts on Azure VMs – By updating the role membership by adding the attack account to “Virtual Machine Contributor” as detailed in this post by Sean Metcalf, an attacker will be able to run PowerShell scripts on the VMs. This leads down to other actions on objectives such as setting up a C2, maintaining persistence, downloading, and running files or whatever the attacker chooses the run. 


DoS Azure AD – Detailed by @DrAzureAD on this blog, creating a BPRT token creates a user object in Azure AD and doesn’t require admin rights. This means that an attacker can fill Azure AD with BPRTs until the quota limit is reached. As mentioned in the blog, the only way to prevent the creation of BPRTs is to prevent users from joining devices to Azure AD.



Persistence

Executions of Scripts on Azure VMs – As detailed above, with the role “Virtual Machine Contributor” an attacker can run PowerShell scripts on the VMs. This can allow them to maintain persistence within the environment.



Creating Service Principal – An attacker can create new service principals which will allow the attacker long-term API-based access to the cloud. This can also be done through modifying or adding credentials to an existing service principal. This action creates an Azure AD audit log event of “add service principal credentials” which can be detected. 


Application Proxy C2 – As detailed by Adam Chester in this blog post, an attacker can use the Azure AD application proxy to configure and set up a C2.  


Abusing Identity Federation – With global administrator account, an attacker can use their own malicious infrastructure to place a backdoor on the tenant. Using the ImmutableId of any user, the attacker can then generate a security token which will then allow them to log in as that user. 


Comments

Post a Comment

Popular posts from this blog

Forensic Analysis of AnyDesk Logs

Image
Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer.  There are two locations for where AnyDesk logs are stored on the Windows file system: %programdata%\AnyDesk\ad_svc.trace %appdata%\Anydesk\ad.trace The AnyDesk logs can be found under the appdata located within each users' directory where the tool has been installed. Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log: Remote IP where the actor connected from File transfer activity Locating the Remote IP Connecting to AnyDesk Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake: info 2021-02-04 23:25:10.500       lsvc   9988  
Read more

Successful 4624 Anonymous Logons to Windows Server from External IPs?

Image
If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authentication package of NTLM, NTLMSSP, don't be alarmed - this is not an indication of a successful logon+access of your system even though it's logged as a 4624. If your server has RDP or SMB open publicly to the internet you may see a suite of these logs on your server's event viewer. Although these are showing up as Event ID 4624 (which generally correlates to successful logon events), these are NOT successful access to the system without a correlating Event ID 4624 showing up with an Account Name \\domain\username and a type 10 logon code for RDP or a type 3 for SMB. You can double check this by looking at 4625 events for a failure, within a similar time range to the logon event for confirmation. The reason for this is because when a user initiates an RDP or SMB c
Read more

How to Reverse Engineer and Patch an iOS Application for Beginners: Part I

Image
So you want to reverse and patch an iOS application? I got you >_< If you’ve missed the blogs in the series, check them out below ^_^ Part 1: How to Reverse Engineer and Patch an iOS Application for Beginners Part 2: Guide to Reversing and Exploiting iOS binaries: ARM64 ROP Chains Part 3: Heap Overflows on iOS ARM64: Heap Spraying, Use-After-Free  This blog is focused on reversing an iOS application I built for the purpose of showing beginners how to reverse and patch an iOS app. No fancy tools are required (IDA O.o), it's just you, me & a debugger <3 The app is a simple, unencrypted Objective-C application that just takes in a password and the goal of this is to bypass the password mechanism and get the success code. This blog post will focus on reversing/debugging the application and will not cover aspects of static analysis. The reason I wanted to write this is because I realised this topic is confusing for a lot of people and I wanted to try and write a blog that a
Read more