Catégorie : Divers

14 avril 202119 mai 2021

Azure Disk | Data Exfiltration

Hi!

In this article, I will show you how a malicious actor can leverage the Azure Managed Disk Import / Export feature to exfiltrate data outside of your organization. By default, in Azure all the Azure Disks are configured with a public endpoint enabled.

You can generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots for exporting the data to other region for regional expansion, disaster recovery and to read the data for forensic analysis. When the URI is generated, you need to define an expiration time (maximum expiration time 4294967295 seconds). After that, everyone who knows the SAS URI can download the disk without any IP filtering before the expiration time.

To prevent this security issue, I will recommend you to:

Enable a Private endpoint (through disk access), or
Configure the connection method with : Deny all

If you want to know which managed disk are configured with the connectivity method « Public endpoint », you can use an Azure Policy in audit mode:

{
      "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/disks"
          },
          {
              "field": "Microsoft.Compute/disks/networkAccessPolicy",
              "equals": "AllowAll"
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
}

And if you want to prevent this usage, you can switch the mode of this policy to « Deny ».

Maxime.

1 avril 202131 mars 2021

Identify Public Storage Account

Hi!

By default, a storage account allows public access to be configured for containers in the account, but does not enable public access to your data. Public access to blob data is never permitted unless you take the additional step to explicitly configure the public access setting for a container.

Microsoft introduced a new protection feature to help avoid public access on storage account. The feature introduces a new property named allowBlobPublicAccess.

Microsoft recommends that you disallow public access to a storage account unless your scenario requires it. Disallowing public access helps to prevent data breaches caused by undesired anonymous access.

In this article, I will you show you how you can identify these storage accounts with an Azure Graph query:

resources
| where type =~ 'Microsoft.Storage/storageAccounts'
| extend allowBlobPublicAccess = parse_json(properties).allowBlobPublicAccess
| project name, resourceGroup, allowBlobPublicAccess

Few months ago, I written an article to show you how you can identify these storage accounts with an audit Azure Policy: https://zigmax.net/identifier-les-comptes-de-stockage-publiques/ (This article is written in French).

Maxime.

10 mars 202110 mars 2021

Azure Graph – List Public IPs

Hi,

In this article, I will show you how you can list all the public IPs of your Azure tenant.

Please, run the following script in Azure Resource Graph Explorer:

 Resources
 | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) 
 | project
     name,
     properties.ipAddress,
     properties.publicIPAllocationMethod 
 | limit 100

Maxime.