CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust - - PowerPoint PPT Presentation

cloud
SMART_READER_LITE
LIVE PREVIEW

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust - - PowerPoint PPT Presentation

Feb 28, 2024 948 likes •1.31k views

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud & Enterprise Red T eam ake Aways Azure Overview Key T Cloud Pivots Trends and Countermeasures 2 eam Red Team Success Culture Collective Growth

slide-1
SLIDE 1

Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud & Enterprise Red T eam

CLOUD POST EXPLOITATION

slide-2
SLIDE 2

Key T ake Aways

2

Azure Overview Cloud Pivots Trends and Countermeasures

slide-3
SLIDE 3

C+E Red T eam

  • Red Team Success

MTTC + MTTO MTTD + MTTR

  • Clear rules of engagement
  • P0 focus – break glass

scenarios

  • Cloud vs Cloud
  • Shift from Operation to

Recovery Games Culture – Collective Growth Mindset

  • “Let’s make it harder!”
  • Engineering Focused
  • Diplomatic
  • Operate like Next Generation APT™

3

Crawl Walk Run Adapt Adapt+

slide-4
SLIDE 4

Azure Crash Course

slide-5
SLIDE 5

Domain Controller SQL Server File Server Application Server Internet Network ACL, Ingress & Egress Monitoring Private Network

Production Domain

Azure VM (IAAS) Azure Storage SQL Azure Azure Analytics (Logging) Azure VNET VM VM Azure Redis Cache Azure PAAS Service Azure Document DB Azure Key Vault

5

slide-6
SLIDE 6

Server Domain Domain Admin Pass the Hash Private IPs RDP / SSH

Services

Subscription

Subscription Admin

Credential Pivot Public IPs Management APIs

Cloud Mindset

6

slide-7
SLIDE 7

Pivoting

slide-8
SLIDE 8

Basic - Storage to VM

Option 1 – Exfil running VM Shadow copy VM Start-AzureStorageBlobCopy Option 2 –override VM when turned

  • ff

Research Area – Tamper running VM

8

slide-9
SLIDE 9

Attacking Hosted Services - PAAS

  • Hosted Services are created from three

elements:

  • Certificates hosting in the cloud service
  • A configuration file containing secrets and other

service metadata

  • A package containing the code and resources

Hosted Service

Certificates Configuration (cscfg) Package (cspkg)

PAAS 101

9

slide-10
SLIDE 10

RDP Extension

Step 1 – Get role configuration Get-AzureDeployment Step 2 – Create Extension New- AzureServiceRemoteDesktopExtensi

  • nConfig

Step 4 – Remove when done Remove- PAASRemoteAccessExtension Step 3 – Push tampered package Set-AzureDeployment

Remote Desktop

10

slide-11
SLIDE 11

Platform As a Service (PAAS)

11

slide-12
SLIDE 12

PAAS Certificates

Step 1 – Query management API to get Certificates available Get-AzureDeployment Step 2 – Create custom service package

  • Add target certificate thumbprint
  • Make service dump certs from OS

and exfil Step 3 – Initiate deployment Set-AzureDeployment with Use upgrade flag to staging slot Step 4 – Wait for cert and pivot

12

slide-13
SLIDE 13

PAAS Upgrade

Step 1 - Exfiltrate cspkg file Get Package Get-AzureBlobContent Step 2 – Find/Create elevated task and bootstrap malware Step 3 – Update file hash Step 4 – Push tampered package Set-AzureBlobContent Step 5 – Initiate deployment Set-AzureDeployment with Use upgrade flag

13

slide-14
SLIDE 14

Hybrid Pivot

On Premise to Cloud Pivot!

14

slide-15
SLIDE 15

Persistence

slide-16
SLIDE 16
  • Service Principals support

multiple passwords

  • App provides rich landscape

Identity

  • Subscription administrators
  • Management Certificates

Subscription

  • Storage Account Key
  • Secure Access Url (SAS) key (offline

minting)

Storage Account

  • Tamper Deployment

Cloud Service

  • OS persistence
  • Override
  • Shadow copy

Virtual Machine

  • Add resource to resource group (VM)
  • Modify Network Security Group

Network

Persistence - Pyramid

17

slide-17
SLIDE 17
slide-18
SLIDE 18

As an operator/attacker, do you have enough visibility in the risks you are accepting? Indicators of

  • Monitoring (IOM)
  • Detection (IOD)
  • Recovery (IOR)
slide-19
SLIDE 19

IOM/D Trends

Rise of Anomaly Detection

Azure Security Center Azure Security Center Anomaly Detection API – Cortana Intelligence Gallery https://aka.ms/infiltrate2017-anomalyapi “Anomaly Detection is an API built with Azure Machine Learning that is useful for detecting different types of anomalous patterns in your time series data”

20

slide-20
SLIDE 20

IOM/D Trends

Purple Teaming – https://aka.ms/scalingredteam

21

slide-21
SLIDE 21

IOM/D Trends

The commoditization of Threat Intel

Azure Security Center

22

slide-22
SLIDE 22

IOM/D Trends

“Stealth” features in Defense

VHD Azure Storage VM

DATA PLANE Forensic @Scale Off-Node Analysis

VHD VHD VHD VHD VHD VHD

CONTROL PLANE

23

slide-23
SLIDE 23

Trends – Engineering

  • Monoculture
  • Shift from cost center to

profit

  • Used to scale - system

engineering and data scientist

  • Used to very high

expectation – Azure 99.9%

https://www.youtube.com/watch?v=R31Ez1XJEeI

slide-24
SLIDE 24

Trends – Engineering

Assume Breach mindset

slide-25
SLIDE 25

Counter Measures …

26

Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated planning Social engineering Advanced & persistent

Infiltrate 2015 - Data Driven Offence https://vimeo.com/133292422

Diversionary T actics Machine Learning Varied Persistence Intelligence Driven Multi-FrontAssaults

slide-26
SLIDE 26

Counter Measures …

27

slide-27
SLIDE 27

Thank you

Sacha cha Faust ust @sachafaust achafaust Andr drew ew Joh

  • hnson

son @secpr ecprez ez https://aka.ms/cesecurityjobsse