Penetration Testing Azure for Ethical Hackers E-Book

Penetration Testing Azure for Ethical Hackers

Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments

David Okeyode

Karl Fosaaen

BIRMINGHAM—MUMBAI

Penetration Testing Azure for Ethical Hackers

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson Dsouza

Publishing Product Manager: Vijin Boricha

Senior Editor: Athikho Sapuni Rishana

Content Development Editor: Sayali Pingale

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Neil D'mello

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Shankar Kalbhor

First published: September 2021

Production reference: 1230921

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

978-1-83921-293-2

www.packt.com

To Carrie – Thanks for encouraging me when I make ambitious plans. I promise to do the same for you.

– Karl Fosaaen

Foreword

A small office in downtown Minneapolis is where Karl and I were sitting in front of a whiteboard in 2017. I was new to NetSPI, and Karl was kind enough to help me acclimatize and brainstorm on new growth ideas and initiatives. As we concluded our meeting, only one word was written on the board, and that word was cloud. And Karl took it from there, taking all of his knowledge that he has accumulated in security testing and applying it to cloud platforms. Since then, Karl has been widely recognized as a leader in cloud security, and has built many teams, many tools, and published many blogs on the topic. In teaming up with David, who is a brilliant cloud architect, tester, and trainer, together they bring over two decades of industry-leading experience and insights on cloud security to this book. The concept of cloud computing is not new, and some organizations today were born in the cloud, with little to no IT footprint on-premises. But for brick-and-mortar large-scale enterprises, who are saddled with mountains of technical debt with legacy applications, cloud adoption has a naturally slower timetable. The pace of migrating to the cloud is picking up as these large organizations have hit their tipping point for cloud migration. The investment in, and priority of, cloud migration lies at board level, with many mandates for timely migration at enterprise scale. And, amidst the urgency and rush to migration is where mistakes happen, where things get missed, and holes are left open. Also, many companies are bringing the legacy vulnerabilities in those legacy apps to the cloud, which can have a higher impact in a cloud environment. In this book, David and Karl have created a pragmatic and step-by-step guide for the cloud security practitioner that includes detailed instructions for setting up and testing an Azure cloud environment, along with the necessary supporting tools. David and Karl not only describe how to attack a cloud environment, but they also take the time to detail why certain things are important. The practical nature of this book should make it a primer for any cloud security penetration tester as well as cloud architects. The authors of this book take us on a technical journey, from setting up an Azure environment, finding misconfiguration vulnerabilities, compromising Azure AD accounts, and escalating privileges, to attacking VMs in Azure, getting credentials, and persistence options. If the principles and lessons of this book are applied properly using the tools suggested, I think you will be amazed at what you find.

– Charles Horton

COO, NetSPI

Contributors

About the authors

DavidOkeyode is a cloud security architect at the Prisma cloud speedboat at Palo Alto Networks. Before that, he was an independent consultant helping companies to secure their cloud environments through private expert-level training and assessments. He holds 15 professional certifications across Azure and AWS platforms.

David has over a decade of experience in cybersecurity (consultancy, design, and implementation). He has worked with organizations from start-ups to major enterprises and he regularly speaks on cloud security at major industry events such as Microsoft Future Decoded and the European Information Security Summit.

David is married to a lovely girl who makes the best banana cake in the world and they love traveling the world together!

KarlFosaaen is a practice director at NetSPI. He currently leads the Cloud Penetration Testing service line at NetSPI and oversees their Portland, OR office. Karl holds a BS in computer science from the University of Minnesota and has over a decade of consulting experience in the computer security industry. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit to house many of the PowerShell tools that he uses for testing Azure.

About the reviewers

Jake Karnes has a BS in computer science from San Jose State University and holds the GIAC Certified Incident Handler and Certified Ethical Hacker certifications. With a background in software consulting, he is currently a managing consultant at NetSPI. Jake specializes in web application and cloud penetration testing and also contributes to the development of applications and tools for the penetration testing team. He loves working in an ever-evolving field and sharing his knowledge and experience with others.

I'd like to thank my wife, Halle, for empowering me to be the best version of myself. Her compassion and fortitude are an unending source of inspiration. She is my source of light and warmth through cloudy Portland days.

I'd also like to thank my parents and brother for their patience and support while I spent endless hours in front of a computer.

Lastly, I'd like to thank my uncle Pat for mentoring me in life and consulting.

Thomas Elling is a principal security consultant and security researcher at NetSPI. He specializes in web application and cloud security testing and has advised multiple Fortune 500 companies in the technology sector. In his spare time, Thomas enjoys improving his coding skills, watching bad action movies, and hanging out with his dog, Chunks.

Thanks to my family and my partner for all of their support.

Table of Contents

Preface

Section 1: Understanding the Azure Platform and Architecture

Chapter 1: Azure Platform and Architecture Overview

Technical requirements

The basics of Microsoft's Azure infrastructure

Azure clouds and regions

Azure resource management hierarchy

An overview of Azure services

Understanding the Azure RBAC structure

Security principals

Role definition

Role assignment

Accessing the Azure cloud

Azure portal

Azure CLI

PowerShell

Azure REST APIs

Azure Resource Manager

Summary

Further reading

Chapter 2: Building Your Own Environment

Technical requirements

Creating a new Azure tenant

Hands-on exercise: Creating an Azure tenant

Hands-on exercise: Creating an Azure admin account

Deploying a pentest VM in Azure

Hands-on exercise: Deploying your pentest VM

Hands-on exercise: Installing WSL on your pentest VM

Hands-on exercise: Installing the Azure and Azure AD PowerShell modules on your pentest VM

Hands-on exercise: Installing the Azure CLI on your pentest VM (WSL)

Azure penetration testing tools

Summary

Chapter 3: Finding Azure Services and Vulnerabilities

Technical requirements

Guidelines for Azure penetration testing

Azure penetration test scopes

Anonymous service identification

Test at your own risk

Azure public IP address ranges

Hands-on exercise – parsing Azure public IP addresses using PowerShell

Azure platform DNS suffixes

Hands-on exercise – using MicroBurst to enumerate PaaS services

Custom domains and IP ownership

Introducing Cloud IP Checker

Hands-on exercise – determining whether custom domain services are hosted in Azure

Subdomain takeovers

Identifying vulnerabilities in public-facing services

Configuration-related vulnerabilities

Hands-on exercise – identifying misconfigured blob containers using MicroBurst

Patching-related vulnerabilities

Code-related vulnerabilities

Finding Azure credentials

Guessing Azure AD credentials

Introducing MSOLSpray

Hands-on exercise – guessing Azure Active Directory credentials using MSOLSpray

Conditional Access policies

Summary

Further reading

Section 2: Authenticated Access to Azure

Chapter 4: Exploiting Reader Permissions

Technical requirements

Preparing for the Reader exploit scenarios

Gathering an inventory of resources

Introducing PowerZure

Hands-on exercise – gathering subscription access information with PowerZure

Hands-on exercise – enumerating subscription information with MicroBurst

Reviewing common cleartext data stores

Evaluating Azure Resource Manager (ARM) deployments

Hands-on exercise – hunting credentials in resource group deployments

Exploiting App Service configurations

Escalating privileges using a misconfigured service principal

Hands-on exercise – escalating privileges using a misconfigured service principal

Reviewing ACR

Hands-on exercise – hunting for credentials in the container registry

Exploiting dynamic group memberships

Hands-on exercise – cleaning up the Owner exploit scenarios

Summary

Further reading

Chapter 5: Exploiting Contributor Permissions on IaaS Services

Technical requirements

Reviewing the Contributor RBAC role

Hands-on exercise – preparing for the Contributor (IaaS) exploit scenarios

Understanding Contributor IaaS escalation goals

Local credential hunting

Domain credential hunting

Lateral network movement opportunities

Tenant credential hunting

Exploiting Azure platform features with Contributor rights

Exploiting the password reset feature

Hands-on exercise – exploiting the password reset feature to create a local administrative user

Exploiting the Run Command feature

Hands-on exercise – exploiting privileged VM resources using Lava

Executing VM extensions

Extracting data from Azure VMs

Gathering local credentials with Mimikatz

Gathering credentials from the VM extension settings

Exploiting the Disk Export and Snapshot Export features

Hands-on exercise – exfiltrating VM disks using PowerZure

Hands-on exercise – cleaning up the Contributor (IaaS) exploit scenarios

Summary

Further reading

Chapter 6: Exploiting Contributor Permissions on PaaS Services

Preparing for Contributor (PaaS) exploit scenarios

Attacking storage accounts

Hands-on exercise – Dumping Azure storage keys using MicroBurst

Attacking Cloud Shell storage files

Hands-on exercise – Escalating privileges using the Cloud Shell account

Pillaging keys, secrets, and certificates from Key Vaults

Hands-on exercise – exfiltrate secrets, keys, and certificates in Key Vault

Leveraging web apps for lateral movement and escalation

Hands-on exercise – Extracting credentials from App Service

Lateral movement, escalation, and persistence in App Service

Extracting credentials from Automation Accounts

Automation Account credential extraction overview

Hands-on exercise – Creating a Run as account in the test Automation account

Hands-on exercise – Extracting stored passwords and certificates from Automation accounts

Hands-on exercise – Cleaning up the Contributor (PaaS) exploit scenarios

Summary

Further reading

Chapter 7: Exploiting Owner and Privileged Azure AD Role Permissions

Technical requirements

Escalating from Azure AD to Azure RBAC roles

Path 1 – Exploiting group membership

Path 2 – Resetting user passwords

Path 3 – Exploiting service principal secrets

Path 4 – Elevating access to the root management group

Hands-on exercise – Preparing for the Global Administrator/Owner exploit scenarios

Hands-on exercise – Elevating access

Escalating from subscription Owner to Azure AD roles

Path 1 – Exploiting privileged service principals

Path 2 – Exploiting service principals' API permissions

Attacking on-premises systems to escalate in Azure

Identifying connections to on-premises networks

Identifying domain escalation paths

Automating the identification of escalation paths

Tools for pivoting along escalation paths

General tips for post domain escalation and lateral movement

Hands-on exercise – Cleaning up the Owner exploit scenarios

Summary

Chapter 8: Persisting in Azure Environments

Understanding the goals of persistence

Plan on getting caught

Have multiple channels ready

Use long-term and short-term channels

Have multiple persistence options at multiple levels

Persisting in an Azure subscription

Stealing credentials from a system

Hands-on exercise – stealing and reusing tokens from an authenticated Azure admin system

Maintaining persistence with virtual machines

Maintaining persistence with Automation accounts

Maintaining persistence to PaaS services

Persisting in an Azure AD tenant

Creating a backdoor identity

Modifying existing identities

Granting privileged access to an identity

Bypassing security policies to allow access

Summary

Further reading

Other Books You May Enjoy

Preface

Welcome to Penetration Testing Azure for Ethical Hackers. This book will cover a wide variety of techniques and attacks that you can use during a penetration test of an Azure environment. Whether you're a seasoned penetration tester who's looking to get an edge in the cloud space or someone who's just getting into the penetration testing space, this book should have valuable information for you.

We will start the book with an introduction to Azure services and the overall architecture of the platform. This first section will cover common services that are used during penetration tests, and the services that support them. This is where we will set the foundation for the rest of the attacks in the book, as attacks typically make use of the architecture and configuration of these services, in contrast with more traditional protocol and code-related penetration testing attacks.

Then, we will cover how you can create and configure a vulnerable test environment in order to follow the exercises in the book. For those who have experience building and maintaining subscriptions, this may be a refresher chapter, but keep in mind that this initial information will inform the rest of the content in the book.

The middle section of the book will cover the attacks and techniques that you will use during a penetration test. The utility of specific attacks in this section will vary for you, as you may not run into all of the services and configurations that we cover during a normal penetration test. As penetration testers who have been in hundreds of Azure subscriptions, we hopefully will be able to give you a good idea of the core services that companies are using, along with the services that are vulnerable to exploits.

For the attacks sections, we will break down the individual attacks by the level of subscription permissions (Reader, Contributor, and so on) and the available attacks for the individual services with those permissions. Since different permissions will allow for different attacks, we'll start with the more basic read-only attacks and move toward more advanced (greater permissions) attacks.

The final chapter of the book focuses on persistence in an Azure environment. During a penetration test, you may find yourself in a situation where you need to maintain access to certain sections of an Azure environment. We will review multiple techniques to hide in an Azure environment.

Thank you for purchasing Penetration Testing Azure for Ethical Hackers!

Hack responsibly and good luck!

Who this book is for

This book is for new and experienced information security practitioners who want to learn how to simulate real-world Azure attacks using tactics, techniques, and procedures that adversaries use in cloud breaches. Any technology professional working with the Azure platform (including Azure administrators, developers, and DevOps engineers) interested in learning how attackers exploit vulnerabilities in Azure-hosted infrastructure, applications, and services will find this book useful.

What this book covers

Chapter 1, Azure Platform and Architecture Overview, covers the basics of how the Azure platform works.

Chapter 2, Building Your Own Environment, explains how to create a test environment that can be used in order to follow the hands-on exercises in the book.

Chapter 3, Finding Azure Services and Vulnerabilities, explains how to utilize anonymous attacks to find Azure-hosted services and attack them to gain initial access to an environment.

Chapter 4, Exploiting Reader Permissions, covers attacks available to users with one of the least-permissioned roles (Reader) in Azure.

Chapter 5, Exploiting Contributor Permissions on IaaS Services, explains the available infrastructure attacks that can be executed with the Contributor role.

Chapter 6, Exploiting Contributor Permissions on PaaS Services, explains how to attack platform-hosted services with the Contributor role to gain access to credentials, identities, and privilege escalation opportunities.

Chapter 7, Exploiting Owner and Privileged Azure AD Role Permissions, covers how to use privileged roles in subscriptions and Azure AD to move laterally and escalate tenant privileges.

Chapter 8, Persisting in Azure Environments, explains the goals of persistence and the techniques used by attackers to hide in an Azure environment.

To get the most out of this book

This book relies on multiple hands-on exercises to guide the reader through the material. Readers of this book will greatly benefit by setting up a test Azure subscription and a supporting virtual machine, outlined in Chapter 2, Building Your Own Environment. The authors strongly encourage the reader to utilize the new account credits that are offered by Microsoft to help offset the operating costs associated with running cloud resources.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781839212932_ColorImages.pdf.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Penetration-Testing-Azure-for-Ethical-Hackers.

In case there's an update to the code, it will be updated on the existing GitHub repository.We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "A user named karl in the Azure AD tenant with a domain name of azurepentesting.com will have a UPN of [email protected]."

A block of code is set as follows:

{

  ''assignableScopes'': [

    ''/''

  ],

Any command-line input or output is written as follows:

PS C:\> az login

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Within the RDP session to your Pentest VM, right-click the Start button and click on Windows PowerShell (Admin)."

Tips or important notes

Appear like this.

Disclaimer

All the information provided in this book is purely for educational purposes. The book aims to serve as a starting point for learning penetration testing. Use the information provided in this book at your own discretion. The authors and publisher hold no responsibility for any malicious use of the work provided in this book and cannot be held responsible for any damages caused by the work presented in this book.

Penetration testing or attacking a target without previous written consent is illegal and should be avoided at all costs. It is the reader's responsibility to be compliant with all their local, federal, state, and international laws.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Penetration Testing Azure for Ethical Hackers, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Understanding the Azure Platform and Architecture

This section will cover the basics of the Azure ecosystem and explain the attacks that are available from an anonymous, internet-facing standpoint.

This part of the book comprises the following chapters:

Chapter 1: Azure Platform and Architecture Overview

The Azure cloud is Microsoft's public cloud computing platform. The platform consists of multiple services that customers can use to develop, host, and enhance their applications and services. Like many other cloud platforms (Amazon Web Services (AWS), Google Cloud Platform (GCP), and so on), it is constantly growing and evolving by frequently adding new services and features to the ecosystem. Given the availability of all of these cloud services, and the flexibility of Microsoft 365 licensing, many organizations are moving their operations up into the Azure cloud.

In our first chapter, we will focus on providing an overview of the Azure platform, its architecture, the core services, and how those services are managed.

In this chapter, we'll cover the following topics:

By the end of the chapter, we will have a good understanding of how organizations use Azure and how to approach an Azure environment as a penetration tester.

Technical requirements

You won't need any additional software for most of this first chapter, as we will be focusing on attaining a high-level understanding of the Azure infrastructure. Having Azure portal access to an existing subscription is certainly handy for following along, but not needed for understanding the concepts.

At the end of the chapter, we will review the multiple methods for accessing the Azure management interfaces. So, if you do have access to an existing Azure environment, the following tools will be helpful to have available:

If you don't have access to an existing Azure environment, don't worry. We will go through the steps to creating your own testing environment in Chapter 2, Building Your Own Environment.

The basics of Microsoft's Azure infrastructure

At the time of writing (late 2020–early 2021), the Azure platform consists of over 200 services and seems to be expanding all the time. It may feel that there is a lot of ground to cover here, but during a penetration test, you will typically only need to focus on a subset of the available services that you have in scope.

In general, it is important to understand how the environment is structured at the Azure platform level (subscriptions, RBAC, resources), and how the available services can be abused to gain additional privileges in the environment.

The lessons in this section will be fundamental to your understanding of how Azure functions as a platform, so pay close attention. For those with a solid Azure background, feel free to skim this chapter to refresh on the core principles.

In this section, we will gain an understanding of the Azure cloud platform and its regions, how Azure tenants are typically structured, and how the resources under the tenant are managed.

Azure clouds and regions

To be able to serve several distinct markets governed by different laws and regulations, Microsoft has built different Azure clouds that cater to different markets. These clouds all run on the same technologies and provide the same services, but they run in different data center environments that are isolated both physically and logically. This is important to keep in mind, as the application programming interface (API) endpoints for each platform and their services vary depending on the cloud platform that we are interacting with.

The following table highlights the four Azure cloud platforms and their main endpoints:

Since each of these clouds has different endpoints for accessing Azure services and we want to avoid confusion across regions, we will standardize on the Azure Commercial cloud for all the examples in the book. It is important to note that the examples are applicable to the other Azure clouds, but you may need to modify the target endpoints.

Azure resource management hierarchy

Before we get into the tactics, techniques, and procedures that can be used during penetration tests in Azure environments, we need a working understanding of how resources are structured in the Azure cloud. This knowledge will also give us the ability to follow an attack chain through an environment once we have obtained initial access.

The organization structure in Azure consists of the following levels: Azure AD Tenant, Root Management Group, Child Management Group, Subscription, Resource Group, and individual Resources. These different levels are shown in the following diagram:

Figure 1.1 – Azure resource hierarchy

Here are the descriptions of each level from the top down:

Every Azure subscription has a trust relationship with one Azure AD tenant to manage access to the subscription. It is common for organizations to connect their on-premises AD to Azure AD using a tool called Azure AD Connect, as shown in the following diagram:

Figure 1.2 – Using Azure AD Connect to synchronize objects to Azure AD

As the core of authentication and authorization, Azure AD is a prime target for information gathering, as well as different identity-based attacks. We will be covering more of the authorization model for Azure subscriptions in the Understanding the Azure RBAC structure section in this chapter.

Many production Azure environments will have the root management group enabled. This is partly because Microsoft recommends enabling it as part of their Cloud Adoption Framework document (https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/subscriptions/). This document describes some of the best practices for adopting the Azure cloud and is a great source of information for those looking at building out an environment in Azure.

As noted in the Child Management Group description, an organization will typically have multiple Azure subscriptions. It is quite common for organizations to set up multiple subscriptions for separate environments, such as development and production, or for separating application environments.

Resource groups are best used to collect and group resources that need to be managed together or share the same life cycle. Depending on the subscription architecture, this can result in large numbers of resource groups in individual subscriptions.

From an access perspective, resource groups also allow us to segment access to different groups in the same subscription, but we will cover that in more detail in the Understanding the Azure RBAC structure section.

We will get into the specifics of how access is managed using RBAC later in the chapter but in general, an Azure AD account can have specified access to any of the resource organization levels outlined previously. From a penetration-testing perspective, access granted at a higher level gives wider scope for an attacker to discover vulnerabilities in cloud-service configurations and to move laterally within the environment. This concept will be more important when we discuss privilege escalation.

In the next section, we will cover an overview of some of the commonly utilized Azure services. These individual instances of services fall under the Resources category listed previously.

An overview of Azure services

As we noted earlier in this chapter, there are over 200 services available in Azure. Even though this sounds like a lot of services, they can generally be grouped into five categories, outlined as follows:

As we progress through the book, we will touch on many services, but the core resources that are important to understand are outlined here.

This table outlines some of the most common Azure services that will be attacked in this book:

As you can see from the preceding information, Microsoft was very practical with the naming of Azure services. For the most part, the service names are based on what the service does. For example, the Azure service used for hosting VMs is called Virtual Machines. In contrast, the equivalent service in AWS would be Elastic Compute Cloud (EC2).

Important note

For anyone that is making the terminology transition from AWS to Azure, the following Microsoft document may be helpful for matching up any of the confusing service names: https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services.

For those more familiar with GCP, Microsoft also has some helpful documentation at https://docs.microsoft.com/en-us/azure/architecture/gcp-professional/services.

In Chapter 3, Finding Azure Services and Vulnerabilities, we will discuss how some of these services can be discovered anonymously using the Azure Domain Name System (DNS) naming structure. In the next section, we will review how access to Azure services is structured and managed using RBAC.

Understanding the Azure RBAC structure

RBAC is an authorization system used to control who has access to Azure resources, and the actions users can take against those resources. At a high level, you can think of it as granting security principals (users, groups, and applications) access to Azure resources, by assigning roles to the security principals.

For example, RBAC can be used to grant a user access to manage all VMs in a subscription, while another user is granted access to manage all storage accounts in the same subscription. That would be an odd choice for separation of duties in a subscription, but cloud environments tend to foster creative solutions for making things work.

RBAC concepts get far more complex when we start introducing the different scopes of role assignments (management groups, subscriptions, and so on), but keep the preceding description in mind as we progress.

Azure RBAC is made up of the following components—security principals, role definitions, and role assignment. Let's look at each of these components in detail.

Security principals

A security principal is a fancy term to describe an Azure AD object that we want to assign privileges to. This could be a user account, a group, a service principal, or a managed identity. These are all different types of identities that exist in Azure AD, as shown in the following screenshot:

Figure 1.3 – Azure RBAC security principals

Important note

Do not confuse ''security principal'' with ''service principal." Security principal is an overall term used to describe objects in Azure AD (including users, groups, and service principals). Service principal is a specific type of security principal.

While there are many facets to a security principal, keep in mind that every security principal has an object ID that uniquely identifies it in Azure AD. This object ID is typically used as a reference when assigning a role to the security principal. Next, we will cover the different types of security principals.

User accounts

A user account is a standard user identity in Azure AD. These accounts can be internal to the Azure AD tenant, or an external ''guest'' account. In either case, the general administration of the users will occur at the Azure AD tenant level.

Internal user accounts are user identities created in the Azure AD tenant by an administrator. Additionally, these may be user identities that are synchronized from an on-premises AD environment to Azure AD (see Figure 1.2).

The accounts are commonly addressed by their User Principal Name (UPN), which is typically an email address. For example, a user named karl in the Azure AD tenant, with a domain name of azurepentesting.com, will have a UPN of [email protected].

The following screenshot shows an internal user account in the Azure portal. Most Azure AD accounts that you interact with will fall under this category:

Figure 1.4 – Screenshot of an internal user account

External user accounts are user identities from other Azure AD tenants, or Microsoft accounts (outlook.com, hotmail.com, and so on) that are invited as guest users to an Azure AD tenant. The UPN format for external user accounts is shown here:

<alias>_<HomeTenant>#EXT#@domain.suffix

For example, if a user named david, from the cloudsecnews.com AD tenant, is invited as a guest user of the globaladministratorazurepen.onmicrosoft.com Azure AD tenant, the UPN will be david_cloudsecnews.com#EXT#@globaladministratorazurepen.onmicrosoft.com (see Figure 1.5).

External accounts are typically used to grant access to vendors or third-party users that may be working on a subscription. The user accounts are not directly managed by the Azure AD tenant, so account policies (password length, multi-factor authentication (MFA), and so on) would be out of the control of the Azure AD tenant.

Here is a screenshot of an external user account:

Figure 1.5 – Screenshot of an external user account

For both internal and external accounts, we will be targeting credentials for the accounts during an Azure penetration test to get access to resources in the Azure AD tenant. As we will see in later chapters, these accounts are a great place to get an initial foothold in an environment.

Service principal

A service principal is an application identity in Azure AD. You can think of it as an Azure AD object representing an application that needs access to Azure resources. This is the preferred way to grant access to an application instead of creating a dummy user account.

Service principals will be very important when we get to automation account attacks, but for now, just know that applications can be registered in Azure AD and they can also be granted permissions in the tenant. For example, you may have an automation account that runs maintenance scripts in a subscription, so you will want to have specific rights granted to the account that runs the scripts. These rights would be applied to the service principal that is created in the Azure AD tenant when the automation account is created.

Service principals can also be assigned certificates and secrets that can be used for authentication. These credentials will be important to note when we want to use the app registrations for privilege escalation, and/or persistence in the Azure AD tenant. The process of creating a service principal is called an app registration.

In the following screenshot, we can see some basic information about an app registration in our sample tenant. As an attacker, we may have situations where it makes sense to create a new service principal that would allow us to persist in an environment. If we choose a generic display name (Backup Service) for creating a backdoor service principal, we may have a better chance of going undetected for longer in the tenant:

Figure 1.6 – Screenshot of a service principal in Azure AD

Finally, service principals can have owners set within Azure AD. The owners of the service principals can control the credentials associated with the accounts, so the owners are useful targets for escalation in an environment where service principals have elevated privileges.

Managed identity

There are times that Azure services (VMs, AKS, applications, and so on) may need access to other Azure resources. The easiest way to grant this access is to enable a managed identity for the Azure service. A managed identity is an automatically created and managed service principal that is