cloud post exploitation - immunity inc...cloud post exploitation. ways 2 azure overview cloud pivots...
TRANSCRIPT
Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud & Enterprise Red Team
CLOUDPOST EXPLOITATION
Key
Take
Aw
ays
2
Azure Overview
Cloud Pivots
Trends and Countermeasures
C+
E R
ed
Team • Red Team Success
MTTC + MTTO
MTTD + MTTR
• Clear rules of engagement
• P0 focus – break glass scenarios
• Cloud vs Cloud
• Shift from Operation to Recovery Games
Culture – Collective Growth Mindset• “Let’s make it harder!”• Engineering Focused• Diplomatic• Operate like Next Generation APT™
3
Crawl
Walk
Run AdaptAdapt+
Azure Crash Course
Domain ControllerSQL ServerFile Server
ApplicationServer
Internet
Network ACL, Ingress & Egress
Monitoring
Private Network
Production Domain
Azure VM (IAAS)
Azure Storage
SQL Azure
Azure Analytics(Logging)Azure VNET
VM VM Azure Redis Cache
Azure PAAS
Service
Azure Document DB
AzureKey Vault
5
Server
Domain
Domain Admin
Pass the Hash
Private IPs
RDP / SSH
Services
Subscription
Subscription Admin
Credential Pivot
Public IPs
Management APIs
Clo
ud
Min
dse
t
6
Pivoting
Basi
c -
Sto
rag
e t
o V
M Option 1 – Exfil running VMShadow copy VMStart-AzureStorageBlobCopy
Option 2 –override VM when turned off
Research Area – Tamper running VM
8
Attacking Hosted Services - PAAS
• Hosted Services are created from three elements:• Certificates hosting in the cloud service
• A configuration file containing secrets and other service metadata
• A package containing the code and resources
Hosted Service
Certificates
Configuration (cscfg)
Package (cspkg)
PAA
S 1
01
9
RD
P E
xtensi
on Step 1 – Get role configuration
Get-AzureDeployment
Step 2 – Create ExtensionNew-AzureServiceRemoteDesktopExtensionConfig
Step 4 – Remove when doneRemove-PAASRemoteAccessExtension
Step 3 – Push tampered packageSet-AzureDeployment
Remote Desktop
10
Pla
tfo
rm A
s a S
erv
ice (
PAA
S)
11
PAA
S C
ert
ific
ate
s Step 1 – Query management API to get Certificates availableGet-AzureDeployment
Step 2 – Create custom service package• Add target certificate thumbprint• Make service dump certs from OS
and exfil
Step 3 – Initiate deploymentSet-AzureDeployment with Use upgrade flag to staging slot
Step 4 – Wait for cert and pivot
12
PAA
S U
pg
rad
e Step 1 - Exfiltrate cspkg fileGet PackageGet-AzureBlobContent
Step 2 – Find/Create elevated task and bootstrap malware
Step 3 – Update file hash
Step 4 – Push tampered packageSet-AzureBlobContent
Step 5 – Initiate deploymentSet-AzureDeployment with Use upgrade flag
13
Hyb
rid
Piv
ot
On Premise toCloud Pivot!
14
Persistence
• Service Principals support multiple passwords
• App provides rich landscapeIdentity
• Subscription administrators
• Management CertificatesSubscription
• Storage Account Key
• Secure Access Url (SAS) key (offline minting)
Storage Account
• Tamper DeploymentCloud Service
• OS persistence
• Override
• Shadow copy
Virtual Machine
• Add resource to resource group (VM)
• Modify Network Security GroupNetwork
Pers
iste
nce
-Pyr
am
id
17
As an operator/attacker, do
you have enough visibility in
the risks you are accepting?
Indicators of
• Monitoring (IOM)
• Detection (IOD)
• Recovery (IOR)
IOM
/D T
rend
s Rise of Anomaly Detection
Azure Security Center
Azure Security Center
Anomaly Detection API – Cortana Intelligence Galleryhttps://aka.ms/infiltrate2017-anomalyapi
“Anomaly Detection is an API built with Azure Machine Learning that is useful for detecting different types of anomalous patterns in your time series data”
20
IOM
/D T
rend
s The commoditization of Threat Intel
Azure Security Center
22
IOM
/D T
rend
s “Stealth” features in Defense
VHD
Azure Storage
VM
DATA PLANE
Forensic @ScaleOff-Node Analysis
VHDVHD
VHDVHD
VHDVHD
CONTROL PLANE
23
Trend
s –
Eng
ineering
• Monoculture • Shift from cost center to
profit• Used to scale - system
engineering and data scientist
• Used to very high expectation – Azure 99.9%
https://www.youtube.com/watch?v=R31Ez1XJEeI
Trend
s –
Eng
ineering
Assume Breach mindset
Co
unte
r M
easu
res
…
26
Specific/sequential targeting
Effective reconnaissance
Practiced tool usage
Sophisticated planning
Social engineering
Advanced & persistent
Infiltrate 2015 - Data Driven Offence https://vimeo.com/133292422
Diversionary TacticsMachine Learning
Varied PersistenceIntelligence Driven
Multi-Front Assaults
Co
unte
r M
easu
res
…
27
Thank you
Sacha Faust
@sachafaust
Andrew Johnson
@secprez
https://aka.ms/cesecurityjobsse