Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II
In my previous blog post, I detailed an attack matrix for Microsoft 365 (M365), documenting the various attacks and actions on objectives that can be taken by threat actors. My original matrix did not touch on some other hybrid attacks that can happen on Azure AD which are relevant to the Microsoft Cloud environment. As such, I have modified and updated the attack matrix below to show all the various attacks collated into one matrix.
For those of you who are not familiar with M365 or Azure AD (AAD), the reason I built this matrix is because the Mitre O365 matrix did not include a comprehensive list of all the various attack vectors. To be a good responder / defender, it’s important to understand the different types of attacks that your organisation or client may be plagued with. Attacks on Azure AD and M365 are not limited to simple business email compromise cases (BECs) but are now actively being exploited by nation-state APT groups. The reason that these actors choose the cloud as an attack vector comes down to the level of “access” they can get, the persistence level they can maintain, the backdoors they can install and, in a way, I think they do this because not many blue teamers / purple teamers have a strong understanding of the cloud infrastructure and most SOCs do not have pre-written detection capabilities for these attacks. All these reasons together, makes AAD and M365 very attractive attack vectors for these threat actors.
This blog post adds onto my previous blog post (which was just M365) with the various ways AAD can be attacked. I think it’s important to combine them instead of having them as separate matrices. I feel that in my general conversations with organisations / clients, SOCs are still heavily focused on traditional means of attack. It’s important that teams continuously learn and adapt to the new threat environment. Attacks on M365 and AAD have been happening for a while now and should seriously be a part of your threat detection capabilities.
I will be working on building out comprehensive detections for each of these attacks to help some blue teams. I don’t know what format this will be in but I want to provide these detections in a tool-agnostic fashion i.e. not in the form of queries relating to a specific vendor tool. I’m not sure what format will help people the most so I’m very open to suggestions here!
Again, if you have additions that you think need to be a part of this matrix. You can either let me know on twitter (@inversecos) or hit me up on LinkedIn.
Azure AD and M365 ATTACK MATRIXSpecial thanks to @DebugPrivilege, @blubbfiction for suggestions and @marcurdy for pointing out that it’s M365 ;)
Breakdown of Attacks
The following section provides a high-level explanation of the newly added Azure AD focused attacks in the matrix. I have not included any of the previous attack descriptions for M365 that were present in my previous blog post. If you want to read descriptions for M365 attacks, please refer to my previous blog post.
Enumerate Tennant Domain – There are multiple ways someone who is unauthenticated can perform reconnaissance on a domain. This can include reviewing DNS MX records or querying URIs that can allow an attacker to fetch this information. Link to Microsoft documentation.
Enumerate Login Information – An unauthenticated attacker can query APIs that will allow them to determine if a user exists within the domain and if Desktop SSO is utilised. Knowing if SSO is enabled allows an attacker to explore further attacks on objectives. This is a great write-up about the topic. For further details about abusing GetCredentialType - check out @DrAzureAD's blog here.
Password Hash Synchronisation – There are two accounts that exist in Azure AD Connect (AAD Connect) that both have high privileges. AAD Connect is utilised for syncing on-premises AD and Azure AD. As such, there are two accounts starting with “MSOL_id” and “Sync_<hostname>_id” that are created and utilised as service accounts to provide synchronisation services for sending hashes of user passwords to the cloud. Gathering these credentials allow a user to modify users and passwords and replicating domain user hashes. The attack flow works through identifying where AAD is installed and interacting with the AAD database which stores the MSOL password. @_xpn_ has a great POC that can be utilised to decrypt the password.
The tool “adconnectudmp” can be utilised to dump these credentials.
https://github.com/fox-it/adconnectdump. Gathering these credentials allow a user to modify users and passwords.
Pass the Ticket (Silver Tickets) – An attacker can impersonate domain users by compromising the AZUREADSSOACC$ account. This account password can simply be dumped using Mimikatz. Mimikatz can also be utilised to create the silver ticket. This is a great write-up from DS Internals that talks through the attack flow. Once the silver is attained by an attacker it can be utilised to log into any M365 application leaving the password blank.
Pass the PRT – A primary refresh token (PRT) can be passed the same way NTM hashes can be passed to authenticate from system to system. The PRT can be extracted using ROADtools or Mimikatz given the prerequisite that an attacker has local admin privileges on the system. The PRT is generally valid for 14 days and is issued to an AAD joined / hybrid AAD joined device. More about PRT on the Microsoft website.
Pass the Cert – MS-Organization-P2P-Access certificates are issued by Azure AD to AAD joined and hybrid joined devices. Certificate allows trust between devices within a tenant. The computer certificate is valid for a day and the user P2P certificate is also valid for a day. With the session key and the PRT (technique above), this can get an attacker a P2P certificate which can allow them to access other systems joined to the tenant.
Compromised Valid Account – An existing valid account is utilised to log in.
Enumerate Azure Tenants – As stated above in the reconnaissance section, there are multiple ways for someone unauthenticated or authenticated to perform discovery.
Enumerate Azure Subscriptions – Global administrators can access all Azure subscriptions by elevating yourself to User Access Administrator. This allows them to list all the subscriptions within a tenant as a part of their discovery. This is well detailed by my colleague @DrAzureAD here.
Enumerate Conditional Access Policies – Admins are also able to use Azure Powershell to perform discovery of conditional access policies that exist. Link to Microsoft documentation here.
Enumerate Applications – Attackers can also perform enumeration of authenticated applications or native Azure apps.
Pass the PRT – An attained PRT allows an attacker to perform pass-the-PRT which is a similar concept to the idea of pass-the-hash attacks on premise. It allows an attacker lateral movement.
Pass the Cert – Similar to Pass-the-PRT, pass-the-cert allows an attacker lateral movement to move to other systems which are joined to the tenant.
Access Azure Subscriptions – As detailed by my colleague @DrAzureAD here, with global administrator rights, an attacker can elevate themselves to User Access Administrator. This will allow them to see all the subscriptions within a tenant.
Executions of Scripts on Azure VMs – By updating the role membership by adding the attack account to “Virtual Machine Contributor” as detailed in this post by Sean Metcalf, an attacker will be able to run PowerShell scripts on the VMs. This leads down to other actions on objectives such as setting up a C2, maintaining persistence, downloading, and running files or whatever the attacker chooses the run.
DoS Azure AD – Detailed by @DrAzureAD on this blog, creating a BPRT token creates a user object in Azure AD and doesn’t require admin rights. This means that an attacker can fill Azure AD with BPRTs until the quota limit is reached. As mentioned in the blog, the only way to prevent the creation of BPRTs is to prevent users from joining devices to Azure AD.
Executions of Scripts on Azure VMs – As detailed above, with the role “Virtual Machine Contributor” an attacker can run PowerShell scripts on the VMs. This can allow them to maintain persistence within the environment.
Creating Service Principal – An attacker can create new service principals which will allow the attacker long-term API-based access to the cloud. This can also be done through modifying or adding credentials to an existing service principal. This action creates an Azure AD audit log event of “add service principal credentials” which can be detected.
Application Proxy C2 – As detailed by Adam Chester in this blog post, an attacker can use the Azure AD application proxy to configure and set up a C2.
Abusing Identity Federation – With global administrator account, an attacker can use their own malicious infrastructure to place a backdoor on the tenant. Using the ImmutableId of any user, the attacker can then generate a security token which will then allow them to log in as that user.