My key takeaways
- Hybrid environments make cloud to on-prem pivoting possible
- 3 attack surfaces
- external: public buckets
- internal resource access: internal to cloud
- internal api access: identify vulns via API calls & configuration analysis
- Azure and O365 are not the same
- Azure Resouce Manager : Subscriptions and Resources
- Microsoft Office 365: Productivity
- O365 accounts get Azure AD accounts automatically
- Do the Cloud Asset Discovery for Recon
- Enum Users through OAuth endpoint, but it is loud
- Azure blobs and Amazon S3 buckets are sometimes exposed
- some URL’s are pretty predictable
- Azure has password protection (aka. blacklist) and smart lockout
- finding auth points is key
- Conditional access policies require to disable security defaults
- security defaults are pretty good and enabled in any brand new Azure or M365 account
- MFA is enabled in security defaults
- MFA might be circumvented by changing the user agent to a mobile client as some organization configure conditional access policies to disable MFA on mobile
- Use MFASweep to try to get over MFA
- Goto actions post compromise
- try to get to the Azure Portal directly
- There are over 200 default service principals in an O365 tenant: a lot of surface
- You need permission from the customer to test their Azure cloud, not from M$
Env
- Provided by BHIS
- Presenter: Beau Bullock
additional links
- https://www.nobandwidth.io/
- https://github.com/dafthack
- A password spraying tool for Microsoft Online accounts
- enumerate valid onedrive users
- Find exposed data in Azure with this public blob scanner
- Multi-cloud OSINT tool
- https://github.com/dafthack/DomainPasswordSpray
- https://aws.amazon.com/training/
- https://docs.microsoft.com/en-us/learn/azure/
- Fireprox to avoid smart lockout
- searching through email in a Microsoft Exchange environment for specific terms
- A tool for checking if MFA is enabled on multiple Microsoft Services
- Cloud Pentest Cheat Sheet
- A collection of Microsoft 365 licensing diagrams
- Automated Attack Simulation in the Cloud
- Multi-Cloud Security Auditing Tool
- ROADTools – Azure AD exploration framework
- PowerZure – PowerShell framework to assess Azure security
- MicroBurst – scripts for assessing Microsoft Azure security
- Stormspotter – graphing Azure
- AzureHound