Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud & Enterprise Red Team

CLOUDPOST EXPLOITATION

Key

Take

Aw

ays

2

Azure Overview

Cloud Pivots

Trends and Countermeasures

C+

E R

ed

Team • Red Team Success

MTTC + MTTO

MTTD + MTTR

• Clear rules of engagement

• P0 focus – break glass scenarios

• Cloud vs Cloud

• Shift from Operation to Recovery Games

Culture – Collective Growth Mindset• “Let’s make it harder!”• Engineering Focused• Diplomatic• Operate like Next Generation APT™

3

Crawl

Walk

Run AdaptAdapt+

Azure Crash Course

Domain ControllerSQL ServerFile Server

ApplicationServer

Internet

Network ACL, Ingress & Egress

Monitoring

Private Network

Production Domain

Azure VM (IAAS)

Azure Storage

SQL Azure

Azure Analytics(Logging)Azure VNET

VM VM Azure Redis Cache

Azure PAAS

Service

Azure Document DB

AzureKey Vault

5

Server

Domain

Domain Admin

Pass the Hash

Private IPs

RDP / SSH

Services

Subscription

Subscription Admin

Credential Pivot

Public IPs

Management APIs

Clo

ud

Min

dse

t

6

Pivoting

Basi

c -

Sto

rag

e t

o V

M Option 1 – Exfil running VMShadow copy VMStart-AzureStorageBlobCopy

Option 2 –override VM when turned off

Research Area – Tamper running VM

8

Attacking Hosted Services - PAAS

• Hosted Services are created from three elements:• Certificates hosting in the cloud service

• A configuration file containing secrets and other service metadata

• A package containing the code and resources

Hosted Service

Certificates

Configuration (cscfg)

Package (cspkg)

PAA

S 1

01

9

RD

P E

xtensi

on Step 1 – Get role configuration

Get-AzureDeployment

Step 2 – Create ExtensionNew-AzureServiceRemoteDesktopExtensionConfig

Step 4 – Remove when doneRemove-PAASRemoteAccessExtension

Step 3 – Push tampered packageSet-AzureDeployment

Remote Desktop

10

Pla

tfo

rm A

s a S

erv

ice (

PAA

S)

11

PAA

S C

ert

ific

ate

s Step 1 – Query management API to get Certificates availableGet-AzureDeployment

Step 2 – Create custom service package• Add target certificate thumbprint• Make service dump certs from OS

and exfil

Step 3 – Initiate deploymentSet-AzureDeployment with Use upgrade flag to staging slot

Step 4 – Wait for cert and pivot

12

PAA

S U

pg

rad

e Step 1 - Exfiltrate cspkg fileGet PackageGet-AzureBlobContent

Step 2 – Find/Create elevated task and bootstrap malware

Step 3 – Update file hash

Step 4 – Push tampered packageSet-AzureBlobContent

Step 5 – Initiate deploymentSet-AzureDeployment with Use upgrade flag

13

Hyb

rid

Piv

ot

On Premise toCloud Pivot!

14

Persistence

• Service Principals support multiple passwords

• App provides rich landscapeIdentity

• Subscription administrators

• Management CertificatesSubscription

• Storage Account Key

• Secure Access Url (SAS) key (offline minting)

Storage Account

• Tamper DeploymentCloud Service

• OS persistence

• Override

• Shadow copy

Virtual Machine

• Add resource to resource group (VM)

• Modify Network Security GroupNetwork

Pers

iste

nce

-Pyr

am

id

17

As an operator/attacker, do

you have enough visibility in

the risks you are accepting?

Indicators of

• Monitoring (IOM)

• Detection (IOD)

• Recovery (IOR)

IOM

/D T

rend

s Rise of Anomaly Detection

Azure Security Center

Azure Security Center

Anomaly Detection API – Cortana Intelligence Galleryhttps://aka.ms/infiltrate2017-anomalyapi

“Anomaly Detection is an API built with Azure Machine Learning that is useful for detecting different types of anomalous patterns in your time series data”

20

IOM

/D T

rend

s Purple Teaming – https://aka.ms/scalingredteam

21

IOM

/D T

rend

s The commoditization of Threat Intel

Azure Security Center

22

IOM

/D T

rend

s “Stealth” features in Defense

VHD

Azure Storage

VM

DATA PLANE

Forensic @ScaleOff-Node Analysis

VHDVHD

VHDVHD

VHDVHD

CONTROL PLANE

23

Trend

s –

Eng

ineering

• Monoculture • Shift from cost center to

profit• Used to scale - system

engineering and data scientist

• Used to very high expectation – Azure 99.9%

https://www.youtube.com/watch?v=R31Ez1XJEeI

Trend

s –

Eng

ineering

Assume Breach mindset

Co

unte

r M

easu

res

…

26

Specific/sequential targeting

Effective reconnaissance

Practiced tool usage

Sophisticated planning

Social engineering

Advanced & persistent

Infiltrate 2015 - Data Driven Offence https://vimeo.com/133292422

Diversionary TacticsMachine Learning

Varied PersistenceIntelligence Driven

Multi-Front Assaults

Co

unte

r M

easu

res

…

27

Thank you

Sacha Faust

@sachafaust

Andrew Johnson

@secprez

https://aka.ms/cesecurityjobsse