cloud
play

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust - PowerPoint PPT Presentation

Feb 28, 2024 •948 likes •1.31k views

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud & Enterprise Red T eam ake Aways Azure Overview Key T Cloud Pivots Trends and Countermeasures 2 eam Red Team Success Culture Collective Growth

  1. CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud & Enterprise Red T eam

  2. ake Aways Azure Overview Key T Cloud Pivots Trends and Countermeasures 2

  3. eam • Red Team Success Culture – Collective Growth Mindset • C+E Red T “Let’s make it harder!” MTTC + MTTO • Engineering Focused MTTD + MTTR • Diplomatic • Clear rules of engagement • Operate like Next Generation APT™ • P0 focus – break glass scenarios • Cloud vs Cloud • Shift from Operation to Run Adapt Adapt+ Recovery Games Walk Crawl 3

  4. Azure Crash Course

  5. Production Domain Internet SQL Azure Azure VM Azure Network ACL, (IAAS) PAAS Ingress & Egress Azure Storage Service Monitoring Private Network Azure Analytics Azure VNET (Logging) VM VM Azure Redis Cache Application SQL Server Domain Controller Azure Azure File Server Server Key Vault Document DB 5

  6. Cloud Mindset Server Services Domain Subscription Domain Admin Subscription Admin Pass the Hash Credential Pivot Private IPs Public IPs RDP / SSH Management APIs 6

  7. Pivoting

  8. Option 1 – Exfil running VM Basic - Storage to VM Shadow copy VM Start-AzureStorageBlobCopy Option 2 – override VM when turned off Research Area – Tamper running VM 8

  9. PAAS 101 Attacking Hosted Services - PAAS • Hosted Services are created from three elements: Certificates • Certificates hosting in the cloud service • A configuration file containing secrets and other service metadata • A package containing the code and resources Hosted Service Package Configuration (cspkg) (cscfg) 9

  10. RDP Extension Step 1 – Get role configuration Get-AzureDeployment Step 2 – Create Extension New- Remote Desktop AzureServiceRemoteDesktopExtensi onConfig Step 3 – Push tampered package Set-AzureDeployment Step 4 – Remove when done Remove- PAASRemoteAccessExtension 10

  11. Platform As a Service (PAAS) 11

  12. PAAS Certificates Step 1 – Query management API to get Certificates available Get-AzureDeployment Step 2 – Create custom service package • Add target certificate thumbprint • Make service dump certs from OS and exfil Step 3 – Initiate deployment Set-AzureDeployment with Use upgrade flag to staging slot Step 4 – Wait for cert and pivot 12

  13. PAAS Upgrade Step 1 - Exfiltrate cspkg file Get Package Get-AzureBlobContent Step 2 – Find/Create elevated task and bootstrap malware Step 3 – Update file hash Step 4 – Push tampered package Set-AzureBlobContent Step 5 – Initiate deployment Set-AzureDeployment with Use upgrade flag 13

  14. Hybrid Pivot On Premise to Cloud Pivot! 14

  15. Persistence

  16. Persistence - Pyramid • Service Principals support multiple passwords Identity • App provides rich landscape • Subscription administrators Subscription • Management Certificates • Storage Account Key Storage Account • Secure Access Url (SAS) key (offline minting) • Tamper Deployment Cloud Service • OS persistence Virtual • Override Machine • Shadow copy • Add resource to resource group (VM) Network • Modify Network Security Group 17

  18. As an operator/attacker, do you have enough visibility in the risks you are accepting? Indicators of Monitoring (IOM) • Detection (IOD) • Recovery (IOR) •

  19. Rise of Anomaly Detection IOM/D Trends Azure Security Center Anomaly Detection API – Cortana Intelligence Gallery Azure Security Center https://aka.ms/infiltrate2017-anomalyapi “Anomaly Detection is an API built with Azure Machine Learning that is useful for detecting different types of anomalous patterns in your time series data” 20

  20. Purple Teaming – https://aka.ms/scalingredteam IOM/D Trends 21

  21. The commoditization of Threat Intel IOM/D Trends Azure Security Center 22

  22. “Stealth” features in Defense IOM/D Trends DATA PLANE CONTROL PLANE Forensic @Scale Off-Node Analysis VM VHD VHD VHD VHD VHD VHD VHD Azure Storage 23

  23. Trends – Engineering • Monoculture • Shift from cost center to profit • Used to scale - system engineering and data scientist • Used to very high expectation – Azure 99.9% https://www.youtube.com/watch?v=R31Ez1XJEeI

  24. Trends – Engineering Assume Breach mindset

  25. Specific/sequential targeting Sophisticated planning Counter Measures … Effective reconnaissance Social engineering Practiced tool usage Advanced & persistent Varied Persistence Intelligence Driven Diversionary T actics Machine Learning Multi-FrontAssaults Infiltrate 2015 - Data Driven Offence https://vimeo.com/133292422 26

  26. Counter Measures … 27

  27. Thank you Sacha cha Faust ust Andr drew ew Joh ohnson son @sachafaust achafaust @secpr ecprez ez https://aka.ms/cesecurityjobsse

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come from? Why Cloud? Cloud for small, medium, enterprise, and government Barriers to adoption Embracing Cloud Social Mobile Cloud

972 views • 45 slides
SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud

SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud

SAS and (the) Cloud Dave Annis SAS Solutions onDemand SAS and (the) Cloud Everyones Cloud Tour of the buzzwords, myths and realities Whats in store for me, the boss, the company, the industry? Your cloud, our cloud their

224 views • 19 slides
CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

Cornell CS5412 Cloud Computing (Spring 2015) 1 CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is cheaper! The cloud business model is growing at an unparalleled pace without any limit in sight

632 views • 45 slides
CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is

1 CS5412: THE CLOUD VALUE PROPOSITION Lecture XXII Ken Birman Cloud Hype 2 The cloud is cheaper The cloud business model is growing at an unparalleled pace without any limit in sight In the future everything will be on the cloud

945 views • 65 slides
The Cloud Is Big! The Cloud Is Hot! IT industry Constitutes about 2% of total US energy

The Cloud Is Big! The Cloud Is Hot! IT industry Constitutes about 2% of total US energy

The Data Furnace: Heating Up with Cloud Computing Jie Liu , Michel Goraczko, Jiakang Lu Sean James, Christian Belady Kamin Whitehouse Microsoft University of Virginia The Cloud Is Big! The Cloud Is Hot! IT industry Constitutes about 2%

551 views • 16 slides
Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing

Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing

Cloud Computing & Cloud Models Cloud Models Topics Defining cloud computing Understanding: Distributed Application Design Resource Management Automation Virtualized Computing Environments High-performance Computing

1.02k views • 49 slides
NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises

NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises

NVIDIA GPUs in the Cloud 4 EVOLVING CLOUD REQUIREMENTS On Off Hybrid Cloud premises premises Connecting clouds New workloads Components to disrupt SOFTLAYER CAPABILITIES OVERVIEW 5 GLOBAL CLOUD PLATFORM Unified architecture enabled by

390 views • 17 slides
github.com/18F/cg-workshop I Want You to use cloud.gov : Focus on mission " :

github.com/18F/cg-workshop I Want You to use cloud.gov : Focus on mission " :

09:00 Welcome Shashank Khandelwal 09:10 cloud.gov Overview 09:40 cloud.gov Hands-on I 10:20 Break 10:30 Federalist Will Slack 10:40 cloud.gov Hands-on II 11:30 Q & A github.com/18F/cg-workshop I Want You to use cloud.gov

461 views • 34 slides
Cloud Ross Mallace Commercial Director Cloud/SaaS Cloud is here. ALL By 2020 most core

Cloud Ross Mallace Commercial Director Cloud/SaaS Cloud is here. ALL By 2020 most core

Banking in the Cloud Ross Mallace Commercial Director Cloud/SaaS Cloud is here. ALL By 2020 most core most banking initiatives will be in the cloud John Schlesinger Changing Cloud Adoption in Financial Services Over 100

561 views • 20 slides
A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is

A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is

A vision for Carrier Cloud Networking... Itzik Weinstein, CEO 1 Cloud Services The Cloud is highly scalable, and managed infrastructure capable of hosting end- customer applications and billed by consumption. - Forrester Virtual

399 views • 6 slides
Cloud-iQ New features including xSP reporting Crayon Channel Team Cloud-iQ updates The Cloud-iQ

Cloud-iQ New features including xSP reporting Crayon Channel Team Cloud-iQ updates The Cloud-iQ

Cloud-iQ New features including xSP reporting Crayon Channel Team Cloud-iQ updates The Cloud-iQ Platform is Crayons Cloud Service Scaling Engine. Offering best in class self- provisioning, billing and reporting capabilities to

346 views • 12 slides
Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland,

Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland,

Cloud-Integrated IP Design: Bursting EDA Workflows to the Public Cloud Jerome McFarland, Marketing Director, Elastifile Agenda Why Cloud? How Cloud? Real-World Example Why Cloud? IC Design Complexity is Steadily Increasing Process

604 views • 31 slides
Building a Private Cloud Cloud Infrastructure Using Opensource Building a Private Cloud OSCON

Building a Private Cloud Cloud Infrastructure Using Opensource Building a Private Cloud OSCON

Building a Private Cloud Cloud Infrastructure Using Opensource Building a Private Cloud OSCON 2010 Building a Private Cloud with Ubuntu Server 10.04 Enterprise Cloud (Eucalyptus) OSCON 2010 (Note: Special thanks to Jim Beasley, my lead Cloud

604 views • 37 slides
SUSE OpenStack Cloud 126 126 What is SUSE OpenStack Cloud You know of Cloud Compute right?

SUSE OpenStack Cloud 126 126 What is SUSE OpenStack Cloud You know of Cloud Compute right?

SUSE OpenStack Cloud 126 126 What is SUSE OpenStack Cloud You know of Cloud Compute right? Maybe you use AWS or Azure? Allowing pay-as-you-go model for IT infrastructure and toward dynamic software-defined service delivery.

168 views • 16 slides
Towards ds a self elf auto tomated CE CERN Clo Cloud Jos Castro Len CERN Cloud

Towards ds a self elf auto tomated CE CERN Clo Cloud Jos Castro Len CERN Cloud

Towards ds a self elf auto tomated CE CERN Clo Cloud Jos Castro Len CERN Cloud Infrastructure CERN Cloud Team Who am I? Outlines Introduction CERN Cloud service Automation status Upcoming challenges Improvement

799 views • 34 slides
Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry

Going Cloud Native with Cloud Foundry @chipchilders Chip Childers, VP Technology Cloud Foundry Foundation Why does Cloud Native matter? Since 2000, 52% of the Fortune 500 are no longer on the list Continuous Innovation There is a rough

794 views • 50 slides
in Countries Experiencing Conflict or Natural Disaster http://micicinitiative.iom.int/ 2011 Libya

in Countries Experiencing Conflict or Natural Disaster http://micicinitiative.iom.int/ 2011 Libya

Guidelines to Protect Migrants in Countries Experiencing Conflict or Natural Disaster http://micicinitiative.iom.int/ 2011 Libya Crisis February-June 2011civil strife Nearly 800,000 migrants fled Libya Most from neighboring countries

524 views • 14 slides
rebecca@glennshepard.com Searches for Chamber of Commerce The Power of Direct Marketing Example

rebecca@glennshepard.com Searches for Chamber of Commerce The Power of Direct Marketing Example

www.ChamberUniversityOnline.com (615) 353-7125 rebecca@glennshepard.com Searches for Chamber of Commerce The Power of Direct Marketing Example #1: Small Business I spent $2,066 on six mailings and brought in $32,295 in new revenue. Brett

723 views • 56 slides
Visual Object Tracking Jianan Wu Megvii (Face++) Researcher wjn@megvii.com Dec 2017

Visual Object Tracking Jianan Wu Megvii (Face++) Researcher wjn@megvii.com Dec 2017

Visual Object Tracking Jianan Wu Megvii (Face++) Researcher wjn@megvii.com Dec 2017 Applications From image to video: Augmented Reality Motion Capture Surveillance Sports Analysis Wait. What is visual

916 views • 64 slides
Mary Dickow, MPA Statewide Director California Action Coalition High-quality, patient- centered

Mary Dickow, MPA Statewide Director California Action Coalition High-quality, patient- centered

Mary Dickow, MPA Statewide Director California Action Coalition High-quality, patient- centered health care for all will require a transformation of the health care delivery system One of the most-viewed online reports in IOM history

672 views • 23 slides
THE OFFICE OF THE NATIONAL COORDINATORS ROAD MAP TO INTEROPERABILITY AND THE LEARNING HEALTH

THE OFFICE OF THE NATIONAL COORDINATORS ROAD MAP TO INTEROPERABILITY AND THE LEARNING HEALTH

THE OFFICE OF THE NATIONAL COORDINATORS ROAD MAP TO INTEROPERABILITY AND THE LEARNING HEALTH SYSTEM ONC WEBSITE CONSUMER KNOWLEDGE INTEROPERABLITY ABILITY TO SHARE HEALTH INFORMATION AMONG DIFFERENT COMPUTER SYSTEMS LONGITUDINAL ABILITY

367 views • 36 slides
ICTP/Psi-k/CECAM School on Electron-Phonon Physics from First Principles Trieste, 19-23 March

ICTP/Psi-k/CECAM School on Electron-Phonon Physics from First Principles Trieste, 19-23 March

ICTP/Psi-k/CECAM School on Electron-Phonon Physics from First Principles Trieste, 19-23 March 2018 Lecture Monday 19 Introduction to Quantum ESPRESSO Paolo Giannozzi Dip. Matematica Informatica e Fisica, Universit` a di Udine CNR-IOM

475 views • 20 slides
SURFACE PHYSICS SURFACE PHYSICS OF OF TOPOLOGICAL INSULATORS TOPOLOGICAL INSULATORS MASSLESS

SURFACE PHYSICS SURFACE PHYSICS OF OF TOPOLOGICAL INSULATORS TOPOLOGICAL INSULATORS MASSLESS

SURFACE PHYSICS SURFACE PHYSICS OF OF TOPOLOGICAL INSULATORS TOPOLOGICAL INSULATORS MASSLESS ELECTRONS, MASSIVE IONS MASSLESS ELECTRONS, MASSIVE IONS MICHAEL EL-BATANOUNY MASSLESS MASSLESS versus MASSIVE MASSIVE Newtons second law F

613 views • 32 slides
(ESA PROJECT A06041) Ions flux on the Earth orbit Proton component of Cosmic Rays dominates

(ESA PROJECT A06041) Ions flux on the Earth orbit Proton component of Cosmic Rays dominates

G EANT 4 MODELS FOR I ON /I ON INTERACTIONS A.Ivantchenko, V.Ivantchenko (under the ESA Technology Research Program) S PACE APPLICATIONS OF G EANT 4 I ON /I ON MODELS (ESA PROJECT A06041) Ions flux on the Earth orbit Proton component of

361 views • 12 slides

More recommend