Presentation Material
Abstract
This talk focuses on offensive strategies, specifically on gaining initial access through the abuse of Azure services, OSINT, and web applications. It explores the potential misconfigurations in Azure Conditional Access Policies that can lead to Multi-Factor Authentication (MFA) bypass, such as improper Cloud app settings, and manipulation of User-Agent or authentication location. The talk also highlights how performing a Man-in-the-Middle (MITM) attack can grant clear text credentials and session cookies by exploiting invitation links, increasing the risk of phishing and bypassing the need for MFA.
The presentation covers various misconfigurations in Azure AD and Azure RM services, including function apps, Logic Apps, Storage Accounts, CI/CD pipelines, and Membership Rules. For instance, the use of a common storage account by multiple function apps can facilitate access to other function app files by leveraging the connection string stored as an environment variable with read/write permission.
Azure services that enable connections to on-prem servers or employee devices are discussed as potential attack vectors. Examples include abusing the Automation Account for gaining a reverse shell and exploiting Intune services to run scripts on users’ devices, such as Windows, Android, macOS, and iOS, in order to extract Azure tokens or other data from the Azure profile folder.
Even a simple role like Reader can be valuable, as it provides users with access to source code that may contain hardcoded credentials like connection strings or service principal client IDs/secrets.
The talk concludes with several attack scenarios for lateral movement and privilege escalation. These scenarios involve exploiting vulnerable function apps to access different services, using DevOps agents to access on-prem machines, leveraging Dynamic group membership to impersonate a user, and obtaining access tokens for multiple users by abusing read/write permissions on a Storage Account.
This talk is cool because it dives into the offensive side of cybersecurity, exploring various techniques and strategies to gain initial access and escalate privileges within Azure environments. It covers practical examples of misconfigurations in Azure services and demonstrates how attackers can exploit these vulnerabilities to bypass MFA, access sensitive data, and perform lateral movement. The talk also highlights the potential risks associated with abusing Azure services, such as the Automation automation account and Intune services, to gain control over on-prem servers and employee devices. By showcasing real-world attack scenarios and sharing insights into the mindset of hackers, this talk offers a unique and engaging perspective on Azure security.
AI Generated Summary
The talk focused on attack vectors and lateral movement techniques within Microsoft Azure environments, detailing methods for initial compromise and post-exploitation escalation. Key initial access techniques included phishing via malicious OAuth application consent grants, where attackers register applications with excessive permissions (e.g., accessing mail, OneDrive) and trick users into granting access. A tool named V was presented to automate this. Man-in-the-middle attacks using EvilGenix were described to harvest credentials and session cookies, bypassing MFA. MFA bypass was also explored through conditional access policy misconfigurations, tested with a tool called MFA Sweep that probes different login portals and user agents.
Post-exploitation lateral movement centered on abusing default configurations and service integrations. Critical findings involved exploiting managed identities attached to compromised services like App Service, Function Apps, and Logic Apps. If a service with a managed identity is compromised via RCE or SSRF, an attacker can request tokens for other Azure resources (e.g., Graph API, Key Vault) using the internal metadata endpoint. Specific abuse scenarios included: modifying CI/CD pipelines (e.g., Azure DevOps) to inject malicious code into self-hosted agents, leading to code execution on on-premises systems; tampering with Function App code via compromised linked storage accounts; and manipulating Logic Apps to exfiltrate managed identity tokens.
Cloud-to-on-premises jumps were demonstrated via Azure Automation Accounts (executing runbooks on hybrid machines), Intune (pushing scripts to enrolled devices), and Application Proxy (exposing vulnerable internal apps). Even low-privilege “Reader” roles were shown to expose sensitive data, such as hardcoded credentials in ARM templates, Function App source code, and Automation Account runbooks.
Practical implications emphasize the need to rigorously audit OAuth app consent grants, review conditional access policies for gaps, restrict managed identity permissions, monitor CI/CD pipeline integrity, and treat contributor roles on services like storage accounts and automation as high-risk. The talk concluded that Azure’s interconnected services create a broad attack surface where a single misconfiguration can enable significant lateral movement.