Presentation Material
Abstract
This talk focuses on offensive strategies, specifically on gaining initial access through the abuse of Azure services, OSINT, and web applications. It explores the potential misconfigurations in Azure Conditional Access Policies that can lead to Multi-Factor Authentication (MFA) bypass, such as improper Cloud app settings, and manipulation of User-Agent or authentication location. The talk also highlights how performing a Man-in-the-Middle (MITM) attack can grant clear text credentials and session cookies by exploiting invitation links, increasing the risk of phishing and bypassing the need for MFA.
The presentation covers various misconfigurations in Azure AD and Azure RM services, including function apps, Logic Apps, Storage Accounts, CI/CD pipelines, and Membership Rules. For instance, the use of a common storage account by multiple function apps can facilitate access to other function app files by leveraging the connection string stored as an environment variable with read/write permission.
Azure services that enable connections to on-prem servers or employee devices are discussed as potential attack vectors. Examples include abusing the Automation Account for gaining a reverse shell and exploiting Intune services to run scripts on users’ devices, such as Windows, Android, macOS, and iOS, in order to extract Azure tokens or other data from the Azure profile folder.
Even a simple role like Reader can be valuable, as it provides users with access to source code that may contain hardcoded credentials like connection strings or service principal client IDs/secrets.
The talk concludes with several attack scenarios for lateral movement and privilege escalation. These scenarios involve exploiting vulnerable function apps to access different services, using DevOps agents to access on-prem machines, leveraging Dynamic group membership to impersonate a user, and obtaining access tokens for multiple users by abusing read/write permissions on a Storage Account.
This talk is cool because it dives into the offensive side of cybersecurity, exploring various techniques and strategies to gain initial access and escalate privileges within Azure environments. It covers practical examples of misconfigurations in Azure services and demonstrates how attackers can exploit these vulnerabilities to bypass MFA, access sensitive data, and perform lateral movement. The talk also highlights the potential risks associated with abusing Azure services, such as the Automation automation account and Intune services, to gain control over on-prem servers and employee devices. By showcasing real-world attack scenarios and sharing insights into the mindset of hackers, this talk offers a unique and engaging perspective on Azure security.