BlackHat Arsenal USA 2024 : Simulating and Exploring Entra ID Attack Paths
mvelazco
117 views
29 slides
Oct 01, 2024
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
BadZure is an open-source PowerShell tool designed for Entra ID (previously known as Azure AD) security analysis. It automates the creation of vulnerable Entra ID tenant environments by utilizing the Microsoft Graph SDK. The tool configures users, groups, and application registrations, then introduc...
Slide Content
#BHUSA @BlackHatEvents
BadZure : Exploring Azure AD
Attack Paths
Mauricio Velazco
@mvelazco
BadZure : Exploring Azure AD
Attack Paths
Mauricio Velazco
@mvelazco
# BHUSA @BlackHatEvents
●From Arequipa, Peru
●Security Researcher at Microsoft
●@mvelazco
●https://github.com/mvelazc0
#whoami
●From Arequipa, Peru
●Security Researcher at Microsoft
●@mvelazco
●https://github.com/mvelazc0
#whoami
# BHUSA @BlackHatEvents
●Personal Views: The opinions and views expressed in this presentation are
my own and do not reflect those of my employer.
●Independence: The content presented is based on my personal research
and experience.
●No Endorsement: Mention of specific tools, technologies, or companies
does not imply endorsement by my employer.
●Responsibility: I assume full responsibility for any errors or omissions in
the presentation.
Disclaimer
●Personal Views: The opinions and views expressed in this presentation are
my own and do not reflect those of my employer.
●Independence: The content presented is based on my personal research
and experience.
●No Endorsement: Mention of specific tools, technologies, or companies
does not imply endorsement by my employer.
●Responsibility: I assume full responsibility for any errors or omissions in
the presentation.
Disclaimer
# BHUSA @BlackHatEvents
Introduction
Introduction
# BHUSA @BlackHatEvents
Identity:
The Rising Target
created by DALL-E
Identity:
The Rising Target
created by DALL-E
# BHUSA @BlackHatEvents
# BHUSA @BlackHatEvents
# BHUSA @BlackHatEvents
# BHUSA @BlackHatEvents
Learning list
Learning list
# BHUSA @BlackHatEvents
Learning list
Learning list
# BHUSA @BlackHatEvents
Azure Active Directory (Entra ID)
created by DALL-E
●Microsoft's cloud-based identity and access
management service
●The backbone of most of Azure services
like M365
●The natural migration path for traditional
Active Directory orgs
Azure Active Directory (Entra ID)
created by DALL-E
●Microsoft's cloud-based identity and access
management service
●The backbone of most of Azure services
like M365
●The natural migration path for traditional
Active Directory orgs
# BHUSA @BlackHatEvents
Challenges in Exploring Azure AD Sec
created by DALL-E
●Learning curve
●Theoretical knowledge vs. practical
experience
●Need for test environments
●Complex setup and configuration
Challenges in Exploring Azure AD Sec
created by DALL-E
●Learning curve
●Theoretical knowledge vs. practical
experience
●Need for test environments
●Complex setup and configuration
# BHUSA @BlackHatEvents
BadZure
https://github.com/mvelazc0/BadZure
BadZure
https://github.com/mvelazc0/BadZure
# BHUSA @BlackHatEvents
●Automates Azure AD (Entra ID) tenant
setup by creating users, groups, apps,
service principals and more.
●Randomly assigns groups and
permissions to created principals.
●Creates configurable attack paths to
explore privilege escalation
techniques.
Badzure
●Automates Azure AD (Entra ID) tenant
setup by creating users, groups, apps,
service principals and more.
●Randomly assigns groups and
permissions to created principals.
●Creates configurable attack paths to
explore privilege escalation
techniques.
Badzure
# BHUSA @BlackHatEvents
Badzure
●Simulates initial access by employing
common account takeover techniques,
mimicking real-world scenarios
●Simulates privilege escalation by
creating misconfigurations and
allowing users to leverage
compromised accounts to gain
higher-level access within Azure AD
Badzure
●Simulates initial access by employing
common account takeover techniques,
mimicking real-world scenarios
●Simulates privilege escalation by
creating misconfigurations and
allowing users to leverage
compromised accounts to gain
higher-level access within Azure AD
# BHUSA @BlackHatEvents
Badzure
●Offers flexible
configuration through a
YAML file.
Badzure
●Offers flexible
configuration through a
YAML file.
# BHUSA @BlackHatEvents
Initial Access
●Password-Based Access: Assigns
random passwords to key user accounts
and generates users.txt for simulating
credential stuffing and password
spraying.
●Token-Based Access: Generates JWT
access tokens for specified principals to
simulate token theft scenarios like
reverse proxy phishing or endpoint
malware.
Initial Access
●Password-Based Access: Assigns
random passwords to key user accounts
and generates users.txt for simulating
credential stuffing and password
spraying.
●Token-Based Access: Generates JWT
access tokens for specified principals to
simulate token theft scenarios like
reverse proxy phishing or endpoint
malware.
# BHUSA @BlackHatEvents
PrivEsc: Service Principal Abuse
●Requirements
A user with permissions to modify an app
registration that has privileged access.
●Attack Scenario
Compromised user adds credentials to the
privileged application and authenticates as the
service principal
●Impact
User escalates privileges to the application's
level.
created by DALL-E
PrivEsc: Service Principal Abuse
●Requirements
A user with permissions to modify an app
registration that has privileged access.
●Attack Scenario
Compromised user adds credentials to the
privileged application and authenticates as the
service principal
●Impact
User escalates privileges to the application's
level.
created by DALL-E
# BHUSA @BlackHatEvents
PrivEsc: Service Principal Abuse
https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 by Andy Robbins
PrivEsc: Service Principal Abuse
https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 by Andy Robbins
# BHUSA @BlackHatEvents
PrivEsc: API Permissions
https://cloudbrothers.info/en/azure-attack-paths/#api-permissions by Fabian Bader
PrivEsc: API Permissions
https://cloudbrothers.info/en/azure-attack-paths/#api-permissions by Fabian Bader
# BHUSA @BlackHatEvents
PrivEsc: Entra Roles
https://cloudbrothers.info/en/azure-attack-paths/#api-permissions by Fabian Bader
PrivEsc: Entra Roles
https://cloudbrothers.info/en/azure-attack-paths/#api-permissions by Fabian Bader
# BHUSA @BlackHatEvents
Privilege Escalation: Service Principal
Abuse
Privilege Escalation: Service Principal
Abuse
# BHUSA @BlackHatEvents
Demo
created by DALL-E
Demo
created by DALL-E
# BHUSA @BlackHatEvents
●Include more Azure resources ( key
vaults, virtual machines, etc)
●Introduce Conditional Access policies
●New initial access: compromised
service principal.
●New attack paths
What’s next
●Include more Azure resources ( key
vaults, virtual machines, etc)
●Introduce Conditional Access policies
●New initial access: compromised
service principal.
●New attack paths
What’s next
# BHUSA @BlackHatEvents
BadZure
https://github.com/mvelazc0/BadZure
BadZure
https://github.com/mvelazc0/BadZure
# BHUSA @BlackHatEvents
●Splunk
https://research.splunk.com
●Elastic
https://www.elastic.co/guide/en/security/current/prebuilt-
rules.html
●Sentinel
https://github.com/Azure/Azure-Sentinel
●Sigma
https://github.com/SigmaHQ/sigma
Entra ID Detection
Analytics
created by DALL-E
●Splunk
https://research.splunk.com
●Elastic
https://www.elastic.co/guide/en/security/current/prebuilt-
rules.html
●Sentinel
https://github.com/Azure/Azure-Sentinel
●Sigma
https://github.com/SigmaHQ/sigma
Entra ID Detection
Analytics
created by DALL-E
# BHUSA @BlackHatEvents
●Splunk
https://research.splunk.com
●Elastic
https://www.elastic.co/guide/en/security/current/prebuilt-
rules.html
●Sentinel
https://github.com/Azure/Azure-Sentinel
●Sigma
https://github.com/SigmaHQ/sigma
References
created by DALL-E
●Splunk
https://research.splunk.com
●Elastic
https://www.elastic.co/guide/en/security/current/prebuilt-
rules.html
●Sentinel
https://github.com/Azure/Azure-Sentinel
●Sigma
https://github.com/SigmaHQ/sigma
References
created by DALL-E
# BHUSA @BlackHatEvents
Thank You
Thank You
#BHUSA @BlackHatEvents
BadZure : Exploring Azure AD
Attack Paths
Mauricio Velazco
@mvelazco
BadZure : Exploring Azure AD
Attack Paths
Mauricio Velazco
@mvelazco
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 117
- Slides 29
- Age 426 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views