Hi!

In this article, I will show you how you can exploit a virtual machine associated with a Managed Identity. To leverage this attack, we will use the LAVA – Azure Exploitation framework.

In the first step, we will execute a command to list all the machines hosted in the Azure subscription. The goal of this action is to identity which machine is configured with a Managed Identity. In the example below, we can see the virtual machine max01 configured with a Managed Identity (SystemAssigned).

In the second step, we can see the virtual machine max01 associated with a privilege role. In this example, the privileged role associated with the identity of the max01 virtual machine is owner of the Azure subscription!

In the third step, we will leverage the « Run Command » feature, to execute a call to the metadata endpoint and retrieve the access token used by the Managed Identity feature. By default all the commands executed with the « Run Command » feature are executed as root!

In the last step of this article, we will use the token retrieved during the third step and usurp the identity of the virtual machine max01 to run a command to list the subscriptions or the ressource groups. With the owner role associated to the managed identity, a malicious attacker could leverage this attack to create, modify or delete any resources hosted in this Azure Subscription.

Maxime.

Hi!

In this article, I will show you how you can leverage the MicroBurst tool to anonymously enumerating Azure Services.

Please find below a list of DNS suffixes associated with the Azure Services:

DNS Suffix	Associated Azure Service
file.core.windows.net	Storage Accounts – Files
blob.core.windows.net	Storage Accounts – Blobs
queue.core.windows.net	Storage Accounts – Queues
table.core.windows.net	Storage Accounts – Tables
azurewebsites.net	App Services and Function app
scm.azurewebsites.net	App Services – Management
database.windows.net	Databases – MSSQL
documents.azure.com	Databases – Cosmos DB
azurecontainer.io	Container Instances
azurecr.io	Container Registry
redis.cache.windows.net	Redis
azureedge.net	CDN
search.windows.net	Search Appliance
azure-api.net	API Services
cloudapp.azure.com	Customer-assigned public IP DNS
vault.azure.net	Key Vault

To conduct this enumeration, we will use the MicroBurst tool.

git clone https://github.com/NetSPI/MicroBurst.git
Import-Module .\MicroBurst.psm1

Invoke-EnumerateAzureSubDomains -Base yourkeyword (you can also add a list of permutations with the parameter -Permutations ".\permutations.txt")

Maxime.

Hi!

Previous articles:

• AAD | Enabled or not?
• AAD | Enumerate valid emails/accounts

In this article, I will show how you can run a Password Spray attack againt your Azure environment.

Password spray is one of the most popular attacks, accounting for more than a third of account compromise in organizations. In these attacks, bad actors try a few common passwords against many accounts from different organizations. Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password. Effective forms of this attack are « low and slow,” where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords. From any one tenant’s view, there are so few login attempts with such poor consistency that the attack is undetectable. A customer might only see one or two failed logins happen from these types of attacks once a day, so the attacks get lost in the noise of normal login patterns. They also bypass traditional protection like password lockout and malicious IP blocking. 

To conduct this attack, we will use the MSOLSpray tool.

Invoke-MSOLSpray -UserList .\userlist.txt -Password YourPassword

To detect this attack, I will invite you to use an Azure AD Premium P2 with the Azure Identity Protection feature : Password-spray detection risk alert.

https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray

Maxime.