Azured Persistence

I'm Peter today I'm gonna be talking to y'all alright that's better so I'm gonna be talking to you all about Asher and assisting in it we're gonna do a quick primer we won't go too in depth but just give you a general idea of like the threatened landscapes and what everything looks like so for those of you who haven't met me before I'm Peter I'm a cyber security consultant with wydo cyber I like cocktails and like really strange funky might be vinegar wine this is maybe my I want to say fifth or six besides talk I prefer them they're smaller they're a little more intimate I can see all spaces when I tell really bad jokes and

I can tell when you're not laughing you have to keep laughing it makes me feel better I'm from Texas and if you feel like follow me on Twitter that's it I do not tweet I don't it's gonna be our itinerary we're gonna give a quick intro into Azure for those of you don't know what it is we're gonna give another primer into the infection vectors of some hiding techniques and then some various persistence one what is a sure who has experience with azure you just raise your hand all right so we're gonna pick out of the crowd randomly looking at you Chris what so what is agile you can read the slides yes it's a cloudy

giving service run by Microsoft and they have a variety of services ranging from sass like you know software as a service to I asked infrastructure as a service bring your own license type in one reason why I think that's important is azor is gaining traction I would still say that AWS is raining they're the most mature they're out there due to the integrations with like let's say office 365 or the fact that next version of Windows is probably going to be perpetual license things are going to be more and more hosted for tiser and I believe that more enterprises are going to you so migrate that way everyone is late ok Robinson so let's talk about

some some compromise vectors as much as we want to secure different services users always going to be the problem a main one a main issue we're gonna have is phishing phishing sites these days just getting more and more sophisticated I'm sure y'all seen the phishing kits they can be deployed easily like you know inside like AWS they can be deployed and Azure so you know white lists like these things that people trust they can be made to look a lot like the logins that people are used to and users will enter them another ones infected machines users install whatever sent to them via email everyone thinks is always like exploit kits and whatnot that we have to worry about it's no it's

actually just can you install this Exe and users like absolutely double click install I know something that's becoming more and more prevalent is credential leakage I'm sure y'all seen like get raw or these scanners out there that go on and scan for secret cysts and for certificates whatnot inside some of these public bid buckets or github accounts or what-have-you and it's it's a prevalent issue it affects people all the way from like the large enterprises to like you know small mom-and-pops people pushing their private Keys pushing s s private ssl certificates and what-have-you and then social engineering so I'm not a great red teamer but I can definitely say I'm pretty good at social engineering you

just ask people for their passwords and then they give them to you hmm it's the best way to go about text another thing that's been trending is service base compromises so you your house may be set a proper like you know you lock your doors at night you close your windows you barricade everything but various services leak data there is a data dog so there is a data dog data leakage not too long ago where a vast majority whose are vast a bass amount of data was leaked for their various people are using their services and this is happening a lot so think of Jenkins everyone uses Jenkins for Alexia for a continuous integration and they

leave them public often so why having Jenkins out there is not normally that bad it exposes a lot of your private information that people can use to exploit your site exploit your service or what have you and an azure just like we have the s3 buckets that are open there's blobs so blobs is where as your stores data miscellaneous you know you just push it up there and by default they're private but often developers for ease of use ease of deployment will turn them to public so to go through and just start scanning these IP rain just like you know just doing ahead of request here that here and there until you find a bucket and then you go through there

to find the items that are inside it all right now we're trying to get to the juicy bits so we're gonna make some assumptions as we're going through these slides I'm gonna assume that you have let's say root access to the azure instance that you are the administrator you are the owner of the subscription ID and so there's a couple different ways that you can hide inside a shirt and they're mostly it's gonna be revolved around the walks so walking analytics is where it's similar to cloud trail in AWS everything that happens in Azure gets logged into cloud automatics unless you specifically disable it and administrators often will set up these various log alerts for example like if

this service spins up more than 500 nodes if there's lots of data being pushed in or out if there's high CPU utilization etc etc and so as an attacker one thing I want to do is disable alerts if I disable alerts you have no idea what's going on you won't be alerted and I can continue to move laterally throughout your as your instance another thing to do that's a little more sneaky is there's workspaces that are divided into log analytic so you can have a workspace for you environment you can have a workspace for your proper production environment and you just delete the workspace so as far as someone who can tell them everything's still working properly but

the workspace is now gone these logs aren't being audited properly etc and then they're simply stopping the logic and the various linux box is among those boxes that you that you're deploying hazard they have an agent that's reporting into this lock analytics and if you have food access as we said earlier you can walk into these boxes disable the agent and if they don't have the proper alerts to Kingdom like you they haven't been logged some five minutes other than logs in 20 minutes what have you you can continue to persist and move laterally and my favorite is this because people set up a lot of alerts for as far as logs coming in making sure the logs are proper but

you set a really a small log retention so instead of general people people have about a year let's say provide PCI compliance or what have you compliance and shortly after ten minutes so sure the logs are there but if you go in trying to check what I've done and what I've changed you have no idea of anymore you can also set a data cap so the data cap I think by default was like around like five like the free tiers is like five hundred Meg's a day let's shrink that to five minutes of it one mega day half a kilobyte a day so the logs come in the media fall to the ground and no one has any idea what

you're doing so as far as persistence goes and Azure one of the easiest things you can do is just create a new user but creating a new user is loud people will notice if I'm making a Johnny bags one or Johnny X - you know Johnny should only have one account so something you want to try is typosquatting or going after users that don't have a password set already because you know there might be certain pace users so instead of like you know Peter with one T I'll go Peter with two T's you know perhaps I made that account that's something that'll look normal to everyone temporary users are also something that's heavily lies inside a jar you can create these

users there's a button pump and you can have them persist for 15 minutes before they're automatically deleted and often after you create a user let's say new Johnny begs 1 and delete them immediately their encounter still have access for somewhere between 10 to 15 minutes I think that's duty caching I can't tell you properly why but if you do a quick in-and-out tom combined with some lobbying things we had earlier disabling those logs you'll have access to account with very little logging for it there's management certificates so for those you don't know there's to add your points there's a portal that's we use all the time right now if you type in like you know porter ashram and that's

referred to as the azure or resources manager it's like their web 2.0 what-have-you but one like azure 1.0 launched there was as your services manager and advertise your services manager does not have good logging get Billy's at all and one thing that's related to is these management certificates so they're more less like you know the same private key public key what happen that you'll push there that you four programs in a programmatic access to where you don't want to hard-code your potentials so when you upload these certificates in the at reporter 1.0 you cannot tell who uploaded the certificates you cannot tell when the certificates are up a little bit often the names are randomly generated

by like visual studios or some sort of ID like that so the names are gibberish they do not respect being revoked so I'd let's say you lost your keys you lost your laptop what have you you want to reject all these private keys that's the certificate manager just doesn't care so this is honestly a great way to persist you you push this there most people don't even know this portal exists and but one of the limitations is the ajan 1.0 portal is only gonna have access to things that use the azure at one point of infrastructure so if you spin up new VMs inside the azure portal 2.0 the the 1.0 thing cannot see it so it's good and

bad so to speak but you can still spend a facing PM just do things that sort and that leads us next firewalls so having root access in making backdoor accounts inside these various like vm's what have you you have to get out of a way to get in so the basic way is like I set up it back doing its gonna operate off before 5:14 this conferences like for people won't look too much at it and so I can use that to jump back into it sequel firewalls so they don't have regular firewalls per database so I have 20 different databases they all share a similar firewall so I can't say this DB should only have access to this IP this

DB short access to this up to you so that can lead us to points to where I can compromise one particular database and use that to move laterally throughout the various other databases laughs fools can be modifying this similar way inside ah sure the as your wife the rules can be customized so they're simply on-off so if I know your site's vulnerable to sequel injection or any sort of injection of that sort I can turn off that particular rule admins often turn these rules aren't off due to the lack of custom do custom ability and so no one will look to sides at it and that can be a great way to persist so even if you blow away my accounts even

if everything is reset after you think you're done the laughs roll still might be off so I can still do the same sequel injection I can still recreate my user accounts I could still go about my business moving around the root accounts of virtual machines can also be reset so there's two portions to resetting a rule for these virtual machines there's a resetting the whole thing so that's noisy because people will notice that they can't get back into their VMs but you can only reset remote access passwords such as SSH and RDP so the user is something's hard-coded like an ax script to what have you don't still have access they'll still be able to go

about their business but you'll be able to persist via this manner as your automation is also a great way to go about this so there's books these run books are usually partial based or there's a drag-and-drop GUI to where you can have the logs to rotate every five minutes you can have things being completed you can create new users etc so one way to leverage this would be turn off logging create user clear the logs and reset login and you can do this all like in a number of milliseconds so to a user or an administrator is trying to go through these oddballs so they won't notice anything that they won't see anything less in this hybrid workers are a

virtual machine or sometimes hardware that exists inside the customers network so as businesses are migrating to Azure they'll do things like point-to-point VPNs or they'll have like you know a direct feed to Azure and they'll set up these workers inside their network so these workers are inherently trusted by Azure so from the azure portal you can push code and things down to this worker that then can scan inside the customers physical network for things that are going on that way and due to this trusted connection you can persist on the cloud worker so let's say every day you create a new user every day you go through and you modify the walls every day you do what have you

and there's also agile functions so agile functions is the service version for a jar things run and is a small little Linux VM there's a little bit of spin up time but inside these functions it's very hard to audit than you when you you can push PowerShell or Python or nodejs like you know your your programming language of your choice and you can do some of the things that we mentioned earlier whether it's modifying logs creating users doing various things to persist they have the same agent but push pushes to log out what extent you can disable and one happier but a lot of people don't use functions on a regular basis so it's not well known and most admins

aren't looking for this one you're going through well that leads us to them if you have any questions please absolutely so the applications there's a couple of abuse resistance so let's say you're the developer using visual studios and your users certificates to deploy inside your configs there's our hard core certificate for that so these two ways a I push the code back to your machine that you know persists whether it's like user based or role based etc or inside Azure itself when you have that configuration up there it would be simple to create a backdoor account so every time the applications redeployed my users already there my information is already there it's easy for me to setup any more questions you

yeah VMs that are running an azure portal one cannot be seen in azure twirl two and vice versa anything else please so the methods for detection I purposely left off that slide because they're not great there's this as your Security Center where log analytics and everything is like you know let's say muncha process right now but there's a high amount of false positives right now they're they're tuning it's getting better with every release but is it's not great although the best way out honestly say is offshore the logs immediately to like a SIM of your choice Splunk elasticsearch etc and even then getting the logs out is difficult because as the building security center they want to be

your sim they want everything to be in there they want everything to be like you know a nice glass wall forest around there so you have to flow up the logs and API calls and you can pull every so often but if someone messes with your retention policy you're gonna set it high enough yourself you're going to miss large swaths of data [Music] demos and that we bring things in and thank you