CARTP Certified Azure Red Team Professional
  • README
  • Introduction
    • Topics
  • Recon & Discovery
    • Topics
  • Initial Access
    • Topics
  • Enumeration
    • Topics
  • Privilege Escalation
    • Page 5
  • Lateral Movement
    • Topics
  • Persistence
    • Topics
  • Data Mining
    • Topics
    • Page 8
  • Defenses
    • Topics
  • Defenses Bypass
    • Topics
Powered by GitBook
On this page
  1. Persistence

Topics

PreviousTopicsNextTopics

Last updated 1 year ago

  • Understand the persistent opportunities when a hybrid identity is used.

  • Know that features like SSO implemented using AZUREADSSOACC can be abused for persistence.

  • Understand the criticality of Azure AD Connect server and how OS level persistence on such a machine can be used to compromise both the on-prem and cloud infrastructure.

  • Get in-depth knowledge of attacks like Skeleton key in the cloud and Golden SAML attack.

  • Understand the persistence opportunities for Azure resources like storage accounts, applications and service principals, consents and permissions, Azure VMs and NSGs, Custom Azure and Azure AD roles etc.

Exploring Hybrid Identity Persistence Techniques

The integration of on-premises and cloud environments through hybrid identity models offers both benefits and avenues for cyber threats. Here we delve into the persistence mechanisms that adversaries might leverage in such setups.

Azure AD Connect

A linchpin in the hybrid identity setup, Azure AD Connect synchronizes identity data between on-premises directories and Azure AD. Compromising its OS not only jeopardizes the on-prem environment but also opens up cloud-based assets to attacks.

Key Points:

  • Always ensure the Azure AD Connect server is up-to-date and monitors for unusual activities.

  • Implement strict access controls and monitoring on this critical asset.

Single Sign-On (SSO) and AZUREADSSOACC

SSO simplifies the user experience but also presents a tantalizing target for attackers. The AZUREADSSOACC feature in Azure, if abused, can become a persistent backdoor.

Key Points:

  • Regularly audit and rotate the Kerberos decryption key used by AZUREADSSOACC.

  • Monitor sign-in logs for any anomalies that could indicate misuse of SSO capabilities.

Advanced Attack Techniques

  • Skeleton Key in the Cloud: Originally a malware targeting on-premises Active Directory, versions of this technique can be adapted for cloud environments, allowing attackers to persist undetected.

  • Golden SAML Attack: This sophisticated attack enables attackers to forge SAML tokens and gain access to resources. Such attacks underline the need for robust monitoring and anomaly detection.

Azure Resource Persistence

Persistence can be achieved through various Azure resources. Understanding how these can be abused is crucial for defense.

  • Storage Accounts and Applications: Unauthorized access to these resources can lead to data exfiltration and serve as a foothold for further attacks.

  • Service Principals, Consents, and Permissions: Excessive permissions can be exploited for persistent access. Regularly review and adjust permissions in line with the principle of least privilege.

  • Azure VMs and NSGs: Compromising these components can give attackers extensive control over network traffic and access.

  • Custom Azure and Azure AD roles: Custom roles should be carefully defined to prevent excessive permissions that could be abused.

Key Points:

  • Implement robust access controls and monitor for unusual access patterns.

  • Leverage Azure’s native tools like Azure AD Identity Protection and Azure Monitor for better visibility and threat detection.

Understanding and mitigating persistent threats in a hybrid identity environment is essential. Through diligent monitoring, regular audits, and adherence to best practices, organizations can better secure their hybrid landscapes against sophisticated attacks.

Sign up to our mailing list to receive updates!