The Azure Necronomicon: Unraveling Identity's Cosmic Horror
BrandonDeVault
388 views
38 slides
Sep 26, 2024
Slide 1 of 38
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
About This Presentation
Dive into the eldritch depths of Azure’s identity management, where the seemingly mundane task of handling user identities and service principals transforms into a journey through cosmic horror. In this talk, we will embark on an arcane expedition to decipher the mysteries of Azure identities. Wit...
Slide Content
Unraveling Identity's Cosmic Horror Brandon DeVault Sr. Security Researcher, CrowdStrike Cyber Operations, National Guard The Azure Necronomicon:
What this talk is NOT A guide on how authentication works in Azure Why you should buy product X over product Y A solution to all your problems
Management Control Data Cloud Planes Overall resources and lifecycle Configurations and operations User data processing and storage
Management Control Data Cloud Planes Overall resources and lifecycle Configurations and operations User data processing and storage
Why not Microsoft security? Who did what?
Chapter 1 The Summoning of Users and Service Principals
Identities Users Roles Groups Applications Service Principals
Users
Microsoft Entra ID Tenant Microsoft Entra ID Subscription Azure Environment Resource Group Management Group Microsoft Environment M365 Defender Power Platform Microsoft 365
Methods of authenticating Azure Portal Entra ID ADFS Hybrid Authentication (pass-through auth, password hash synchronization, federation with third-party) CLI Interfaces and APIs Managed Identities B2B / B2C SSH Key Authentication Certificate-Based Authentication VPN and Virtual Network Gateways
Service Principals / Applications
Types of Service Principals Application Managed Identity Legacy
Azure Tenant 1 Azure Tenant 2 Entra ID Subscription 1 Application Service Principal Service Resource Resource Resource Subscription 2 Subscription 3 Service Principal Entra ID
Groups
Management Groups Above Subscriptions Policy / Compliance Resource Groups For grouping resources VMs, web apps, databases, etc. Groups can be nested Management Groups Subscriptions Resources Resource Groups
Roles
Microsoft Entra ID Tenant Microsoft Entra ID Subscription Azure Environment Resource Group Management Group Microsoft Environment M365 Defender Power Platform Microsoft 365
Azure built-in roles Entra built-in roles 312 105
High-privileged role
Global Unique Identifier (GUID)
Chapter 2 The Rituals of Non-Standardization
Importance of Field Normalization When searching for a value, all results must be returned Capitalization matters! Improves performance
azure.resultType Expectations: Success / Failure True / False
azure.resultType Reality:
azure.properties.statusCode Expectations: 200 / 400 / 429 “OK” / “ BadRequest ”
azure.properties.statusCode Reality:
Parse: azure.operationName : “ MICROSOFT.AUTHORIZATION / ROLEASSIGNMENTS / WRITE ”
azure.operationName : “ MICROSOFT.AUTHORIZATION / ROLEASSIGNMENTS / WRITE ” Parse:
azure.operationName
azure.operationName
Chapter 3 The Necromancy of Log Analysis
Identities (GUID) azure.identity.claims.appid azure.identity.claims.http ://schemas.microsoft.com/identity/claims/ objectidentifier Activity Logs: azure.properties.initiatedBy.app.servicePrincipalId azure.properties.initiatedBy.user.id Audit Logs: azure.properties.servicePrincipalId azure.properties.userId Sign-In Logs:
Identities (Human Readable) azure.identity.claims.http ://schemas.xmlsoap.org/ ws /2005/05/identity/claims/name azure.identity.claims.appid azure.properties.initiatedBy.app.displayName azure.properties.initiatedBy.user.displayName azure.properties.initiatedBy.user.userPrincipalName azure.properties.identity azure.properties.userPrincipalName azure.properties.servicePrincipalName Fields:
Cross-correlation Activity Log Sign-In Log … azure.identity.claims.appid : <GUID> … … azure.properties.servicePrincipalId : <GUID> …
Cross-correlation Activity Log … azure.properties.servicePrincipalId : <GUID> azure.properties.servicePrincipalName : <Name> … Sign-In Log … azure.identity.claims.appid : <GUID> azure.identity.authorization.evidence.roleDefinitionId azure.identity.authorization.evidence.role …
Normalized Logs Endpoint EDR Email Authentication Database
Key Takeaways – Cthulhu fhtagn ! Identity is hard Normalization is important The power of cross-correlation is critical
QUESTIONS? www.devaultsecurity.com linkedin . twitter. devaultsecurity.com github . [email protected] }
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 388
- Slides 38
- Age 431 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
29 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
29 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
28 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
31 views