It’s Raining Shells

How to Find New�Attack Primitives in Azure

Permalink to this deck: https://bit.ly/3ItRi6u

Hello!

My name is Andy Robbins

Co-creator of BloodHound

Product Architect of BloodHound Enterprise�I work at @SpecterOps�You can find me at @_wald0

Agenda

Why abuses, not bugs?

Crash Course Through The Basics

Finding New Attack Primitives: MS Graph Case Study

Where to find research ideas

Conclusion

Agenda

Why abuses, not bugs?

Crash Course Through The Basics

Finding New Attack Primitives: MS Graph Case Study

Where to find research ideas

Conclusion

Abuse primitives:

• Generally enjoy a dramatically longer shelf life

Abuse primitives:

• Generally enjoy a dramatically longer shelf life
• Are much cheaper to maintain over time

Abuse primitives:

• Generally enjoy a dramatically longer shelf life
• Are much cheaper to maintain over time
• Exist in almost every instance of a given platform

Abuse primitives:

• Generally enjoy a dramatically longer shelf life
• Are much cheaper to maintain over time
• Exist in almost every instance of a given platform
• Present a notorious challenge to detection engineers

https://twitter.com/thegrugq/status/563964286783877121

https://twitter.com/mattifestation/status/809105346870460416

Agenda

Why Azure abuses?

Crash Course Through The Basics

Finding New Attack Primitives: MS Graph Case Study

Where to find research ideas

Conclusion

What (exactly) is Azure?

Simply put: Azure is Microsoft’s cloud computing product.

Azure is comprised of more than 600 distinct services that cover:

• Identity
• Computing
• Storage
• Data management
• Messaging
• DevOps
• IoT
• etc

Securable Object Hierarchy

Azure AD Tenant

Azure AD Tenant

User

Group

Service Principal

Device

App

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

App

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

App

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

App

Management Groups

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Authentication

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Token issuance

Principal

MS Graph API App Role

MS Graph Resource App

Authenticates via Security Token Service

Scoped To

GrantedRole

value: “AppRoleAssignment.ReadWrite.All”

Azure AD�Directory Service

Brokers To

Specified resource

Securable

Object

Contains

Token issuance

Principal

JWT

Has Token

"aud": "https://graph.microsoft.com"�…�…�“roles”: [� “AppRoleAssignment.ReadWrite.All”�]�…�...

Access Control

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Disk

• AzureAD Admin Roles
• MS Graph API Permissions
• AzureAD API Permissions
• Object-scoped admin roles
• Explicit Ownership

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Azure Admin Roles ●

Attribute Based Access Control ●

Key/Secret/Cert Rights ●

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Blobs

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Disk

Azure AD Tenant

User

Group

Service Principal

Device

Root Management Group

Management Groups

Subscriptions

Resource Groups

App

Management Groups

VM

Key Vault

DB

Disk

Azure AD Tenant

User

Group

Service Principal

Device

App

Root Management Group

Management Groups

Subscriptions

Resource Groups

Management Groups

VM

Key Vault

DB

Blobs

Agenda

Why Azure abuses?

Crash Course Through The Basics

My Abuse Primitive Research Process: MS Graph Case Study

Where to find research ideas

Conclusion

Begin with the end in mind

Begin with the end in mind

Study Intent and Design of the System

Begin with the end in mind

Study Intent and Design of the System

Explore the system using various means

Begin with the end in mind

Study Intent and Design of the System

Explore the system using various means

Catalogue abuse capabilities

Begin with the end in mind

Study Intent and Design of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

Begin with the end in mind

Study Intent and Design of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Begin with the end in mind

Study Intent and Design of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

I want to understand:

● The fundamental mechanics the system

● How the system interacts with other systems

● How the system can be abused

​

​

Begin with the end in mind

I want to understand:

● The fundamental mechanics the system

● How the system interacts with other systems

● How the system can be abused

​

I want to produce:

● A blog/talk for others to understand and build on

● Example audit and abuse code

● Practical remediation guidance

Begin with the end in mind

I want to understand:

● The fundamental mechanics the system

● How the system interacts with other systems

● How the system can be abused

​

I want to produce:

● A blog/talk for others to understand and build on

● Example audit and abuse code

● Practical remediation guidance

​

If appropriate for BloodHound, I want to prepare for:

● The impact on the existing graph model

● How to expand the graph model

● What data to collect and ingest, and how to get that data

Begin with the end in mind

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Technical

Non-Technical

Official Documentation

Study Intent, Design and Usage of the System

Microsoft MS graph

ms graph permissions

Initial MS Graph Notes

• MS Graph is some kind of Azure-related service

Initial MS Graph Notes

• MS Graph is some kind of Azure-related service�
• It exposes a REST API

Initial MS Graph Notes

• MS Graph is some kind of Azure-related service�
• It exposes a REST API�
• It can let you reset other users’ passwords if you have the right permissions

Initial MS Graph Notes

• MS Graph is some kind of Azure-related service�
• It exposes a REST API�
• It can let you reset other users’ passwords if you have the right permissions�
• It seems to have a distinct permissions system versus Azure AD and Azure RM

Technical

Non-Technical

Official Documentation

Study Intent, Design and Usage of the System

Technical

Non-Technical

Code Repositories

People

Official Documentation

Blogs

Talks

Study Intent, Design and Usage of the System

site:linkedin.com “Microsoft” “Graph” “Architect”

Technical

Non-Technical

Code Repositories

People

Official Documentation

Blogs

Talks

Study Intent, Design and Usage of the System

Technical

Non-Technical

Code Repositories

Community

People

Official Documentation

Blogs

Talks

Chat & Forums

Repo Issues

Study Intent, Design and Usage of the System

Initial MS Graph Notes

• MS Graph is some kind of Azure-related service�
• It exposes a REST API�
• It can let you reset other users’ passwords if you have the right permissions�
• It seems to have a distinct permissions system versus Azure AD and Azure RM

Updated MS Graph Notes

• Microsoft is investing into MS Graph as a sort of “API for APIs”, a unifying endpoint that may eventually allow for indirectly interacting with any object in any service just by interfacing with MS Graph.

Updated MS Graph Notes

• Microsoft is investing into MS Graph as a sort of “API for APIs”, a unifying endpoint that may eventually allow for indirectly interacting with any object in any service just by interfacing with MS Graph.�
• MS Graph’s REST API is instantiated into every Azure tenant as a Resource App (aka Enterprise App, aka Service Principal, aka First Party App).

Updated MS Graph Notes

• Microsoft is investing into MS Graph as a sort of “API for APIs”, a unifying endpoint that may eventually allow for indirectly interacting with any object in any service just by interfacing with MS Graph.�
• MS Graph’s REST API is instantiated into every Azure tenant as a Resource App (aka Enterprise App, aka Service Principal, aka First Party App).�
• MS Graph brokers requests to particular Azure services, including privileged action requests like resetting passwords or adding users to security groups.

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

You must go beyond the documentation.

• These systems are interconnected in undocumented and non-public ways

You must go beyond the documentation.

• These systems are interconnected in undocumented and non-public ways
• Documentation often doesn’t keep up with changes

You must go beyond the documentation.

• These systems are interconnected in undocumented and non-public ways
• Documentation often doesn’t keep up with changes
• Tooling based only on documentation is almost always inaccurate, unreliable tooling.

Explore the system using various means

Azure Portal GUI

Explore the system using various means

Azure Portal GUI

MS-authored CLI tools

az binary

AzureAD PowerShell Module

Az PowerShell Module

Explore the system using various means

Azure Portal GUI

MS-authored CLI tools

Our own basic client

Explore the system using various means

Get a token

Get data from the API

Work with the data

The data

Client execution

Token gotchas

• JWTs facilitate stateless authentication but only partly facilitate stateless authorization
• But not all authorization is stored in the JWT

​

​

Token gotchas

• JWTs facilitate stateless authentication but only partly facilitate stateless authorization
• But not all authorization is stored in the JWT

​

• AzureAD roles and MS Graph roles are stored in JWTs
• But these tokens do not include AzureRM role assignments or the various other access control configs

​

​

Token gotchas

• JWTs facilitate stateless authentication but only partly facilitate stateless authorization
• But not all authorization is stored in the JWT

​

• AzureAD roles and MS Graph roles are stored in JWTs
• But these tokens do not include AzureRM role assignments or the various other access control configs

​

• Tl;dr: You can have more privileges than what your JWT states

Audience

Issuer

MS Graph scoped App Roles

AzureAD Roles

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

Create a simple, functional client

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

Create a simple, functional client

Enumerate assignable permissions

Catalogue abuse capabilities

Enumerate assignable permissions

Test existing abuses, consider new abuses

Catalogue abuse capabilities

Enumerate assignable permissions

Automate this process

Test existing abuses, consider new abuses

Catalogue abuse capabilities

Example Attack Path

User

App�Registration

Service�Principal

App�Role

App�Role

AAD Directory Role

Owns

Runs As

Granted

Can Grant

Can Grant

Name:�Matt Nelson

Name: MyCoolApp

Name: MyCoolApp

Value:�AppRoleAssignment.ReadWrite.All

Value:�RoleManagement.ReadWrite.Directory

Name:�Global Administrator

Coming soon: Atomic Azure Tests

• Inspired by Red Canary’s Atomic Red Team
• But with no dependence on existing PowerShell modules
• Can be easily expanded to cover other Azure services

​

• End result: daily automatic permission->abuse mapping available for anyone to see.

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

Create a simple, functional client

Automate collection, audit, and abuse

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

Create a simple, functional client

Automate collection, audit, and abuse

Give a Talk

Write a Blog

Share your Code

Share findings

Begin with the end in mind

Study Intent, Design and Usage of the System

Explore the system using various means

Catalogue abuse capabilities

Share findings

My Abuse Primitive Research Process

Establish success criteria for this research

Build foundational, academic knowledge

Create a simple, functional client

Automate collection, audit, and abuse

Write the blog you needed at the start

I want to understand:

● The fundamental mechanics the system

● How the system interacts with other systems

● How the system can be abused

​

I want to produce:

● A blog/talk for others to understand and build on

● Example audit and abuse code

● Practical remediation guidance

​

If appropriate for BloodHound, I want to prepare for:

● The impact on the existing graph model

● How to expand the graph model

● What data to collect and ingest, and how to get that data

Begin with the end in mind

I want to understand:

✅ The fundamental mechanics the system

✅ How the system interacts with other systems

✅ How the system can be abused

​

I want to produce:

✅ A blog/talk for others to understand and build on

✅ Example audit and abuse code

✅ Practical remediation guidance

​

If appropriate for BloodHound, I want to prepare for:

✅ The impact on the existing graph model

✅ How to expand the graph model

✅ What data to collect and ingest, and how to get that data

Begin with the end in mind

Agenda

Why Azure abuses?

Crash Course Through The Basics

Finding New Attack Primitives: MS Graph Case Study

Where to find research ideas

Conclusion

Build on your existing expertise

​

Databases

● Azure SQL Database

● Azure Database for PostgreSQL

● Azure Cosmos DB

DevOps / CICD

● Azure Pipelines

● Azure Artifacts

● Azure Repos

Web Apps/Infra

● Azure Web PubSub

● Content Delivery Network

● Azure SignalR Service

See the full (?) directory of services here: https://azure.microsoft.com/en-us/services/

Follow Microsoft Leaders on Twitter

@JefTek - Jef Kazimer� Principal Program Manager - Azure Active Directory�

@BaileyBercick - Bailey Bercick� Program Manager - Azure Active Directory Product Group�

@Sue_Bohn - Sue Bohn� Vice President of Program Management in the Identity & Network Access Division�

@Alex_A_Simons - Alex Simons� Corporate Vice President of Program Management, Microsoft Identity Division

Follow These People on Twitter

@mariussmellum - Marius Solbakken� Principal - TietoEVRY

@inversecos - Lina Lau� Principal Incident Response Consultant - Secureworks

@DrAzureAD - Dr. Nestori Syynimaa� Senior Principal Security Researcher - Secureworks

@asegunlolu - David Okeyode� EMEA Chief Technology Officer, Azure Cloud - Palo Alto Networks

Bookmark these pages

https://www.thelazyadministrator.com

https://goodworkaround.com/

https://www.azadvertizer.net/

https://thomasvanlaere.com/

https://msportals.io/?search=

​

Agenda

Why abuses, not bugs?

Crash Course Through The Basics

Finding New Attack Primitives: MS Graph Case Study

Where to find research ideas

Conclusion

Conclusion

There has never been a better time than right now to get involved in Azure abuse research.

​

​

Conclusion

There has never been a better time than right now to get involved in Azure abuse research.

​

I hope I’ve shown you just how easy (if tedious) it actually is. Happy hunting!

Thank you!

You can find me at @_wald0

​

Appendix Slides

Review: Catalogue the system’s abuse capabilities

Results:

• You should understand where the system materially differs from documentation
• You should now know at least some abuse primitives against the system
• You should now know what information to collect, and how, to find abusable configurations in the system
• You should be able to publish your findings for industry colleagues to understand and build on top of

Actions:

• Determine the scope of objects that can be acted upon through the system
• For each object type, attempt to “abuse” the object through the system using various privileges
• Document your findings
• If possible, automate your abuse tests

Fine-grained control lets you:

• Determine the minimum parameters actually required by the API
• Easily change request properties to test for CA bypasses
• Accurately automate your testing
• Build future tooling without needing 3rd party modules
• Discover how the system materially differs from its documentation
• VASTLY simplify getting data out of the system
• Get MORE data than what the GUI will ever show you

Principal

MS Graph API App Role

MS Graph Resource App

Scoped To

GrantedRole

value: “AppRoleAssignment.ReadWrite.All”

Brokers To

Specified resource

Securable

Object

Contains

Azure AD�Directory Role

Authenticates To

name: “Cloud App Admin”

GrantedRole

Scoped To

Azure AD�Directory Service

Principal

Token

Has Token

"aud": "https://graph.microsoft.com"�…�“roles”: [� “AppRoleAssignment.ReadWrite.All”�]�…

“wids”: [� “158c047a-c907-4556-b7ef-446551a6b5f7”

]

...

My High Level Methodology:

1. Begin with the end in mind
2. Understand the intent and design of the system
3. Explore the system from different perspectives
4. Catalogue the system’s abuse capabilities