AAD | Abuse Service Principals

Hi!

Attackers want to target service principals because:

  • Service accounts and service principals do not have MFA
  • Attackers can log into Azure using a service principal account
  • These accounts exist with all applications in Azure (most companies have several) 
  • These accounts could be controlled through conditional access only with an Azure Active Directory P2.

Sign-in with the service principal using Azure CLI:

az login –service-principal -u YourServicePrincipald -p YourServicePrincipalPassword -tenant YourTenantId –allow-no-subscriptions

To prevent this attack, you can define a Conditional Access policies for your service principals. You need to have an Azure Active Directory Premium P2 to enable this feature.

Maxime.

Azure Disk | Exfiltrate VM Disk

Hi!

Previous article: Azure Disk | Data Exfiltration

In this article, I will show you how we can leverage the PowerZure tool to exfiltrate data stored in the virtual machines disks. By default, the network configuration of a disk in Azure is not restricted (Public endpoint), as you can see in the screenshot below:

We will leverage PowerZure and the modules (Get-AzDisk and Get-AzureVMDisk) to generate a SAS link valid during 24 hours and download the image of the disk (VHD file). This file could be mounted in a Windows environment and the data stored in the file could be extracted.

Maxime.