we're just talking about red teaming Azure environments
#Homeland#NSA#Bryce Kunz Speaker BIO
I used to work at Homeland I worked in their security operations center and I've led a bunch of their defensive hunting down APT's in the network trying to get them out for quite a few years and then I worked at NSA and I was doing mostly offensive work which is really more of my passion kind of been you know involved in hacking and hacking scene since I was really young. So yeah so and then I I worked at inside their experienced cloud business.Bryce Kunz Speaker BIO
you guys want the slides you know happy to share those so so now I am actually the president of stage 2 security so we do a lot of red teaming against AWS environments and also some Azure environments
Right so so the way that I generally break up cloud is into three segments regardless the provider. You have kind of the portal portion and that's what you is kind of the customer of the cloud sees and interact with. Then you have this kind of control plane which is a lot of the api's and some of those are exposed to you as a user of the cloud and some are kind of just internal use only. Then the data is kind of where all your data or VMs reside. IaaS overview
#Jenkins#dev pipeline in IaaS
Jenkins and other CI type tools deployment type tools all right those kind of build your pipeline and those usually customize for each organization and then lastlydev pipeline in IaaS
#seen half a million dollars
I've personally seen half a million dollars in bills racked up so the
#IaaS compromise example
There was a group and they got access to companies rout AWS keys which generally you're not supposed to use because it's really hard to rotate or do anything. They basically sent ransom like said pay us money or we're going to destroy your infrastructure and they kind of thought they were joking and no they went in and all their backups were also an ad about so they deleted all their backups and they deleted all their via and destroyed the entire company that went out of business overnight.IaaS compromise example
#Google dork#IaaS keys in pastbin/github
so I give you literally take that Google dork and search for it. IaaS keys in pastbin/github
Against the pipeline which there's been a lot of talks about hacking Jenkins and other services like that
#SaaS-IaaS macro attack
Potentially sending macros in and waiting for people to run them. SaaS-IaaS macro attack
#SaaS-IaaS map of pwnage
SaaS-IaaS map of pwnage
gobuster directory and DNS brute forcing tool.
nimbusland to determine if an IP is AWS or Azure.
#lolruslove web spider
lolruslove web spider for AWS buckets and Azure blobs.
Developers are coding they're like .NET apps you'll find the web.config file and if that's integrated with Azure it will also contain like kind of either as SaaS your URL URI or a like access token.
apps you'll find the web config file and if that's integrated with Azure it will also contain like kind of either as SAS your URL URI or a like access token which you can use to access the storage
#PowerShell#Endpoint compromise stepping stone
Get access to admin or dev boxes oftentimes they'll set up this PowerShell CLI special which allow them to interface with that Azure that the control plane and throughout the services so you know a lot of times Endpoint compromise stepping stone
#IaaS Blue team
I'd usually just do az account show and that's kind of your whoami equivalent right because a lot of times when you're pulling these creds off the box you're actually not really sure who they belong to. So this kind of helps you out. On the flip side I mean maybe you want to monitor for that on the Azure side.IaaS Blue team
#Expand Access in IaaS
Expand Access in IaaS
#Azure Capture Image
Azure Capture Image
Oftentimes I'll just add an ssh key right. Because you can attend multiple SSH keys and two if they're using that to authenticate to a linux server and then you can boot back up the VM. But in Azure land generally you have to kind of destroy a lot of the configuration data. Linux persistence
agent will load up which will then let you to execute more commands so you can also use those to run custom scripts like the command here will download a script off github and then run it inside a VM
#persistence via agents in Azure
that probably a little crazy like probably really shouldn't use it on a red team engagement but it does work so the the agent that you have installed by default on mo persistence via agents in Azure
The Python debugger to kind of get ya to figure out what how the code is working right and step through it. There's another project called pyrite which is really cool but you do have to install some dependencies on the box nothing crazy but like you have to have gdb working and a couple other things. pyrite's cool because you know the Python debugger you start the process and then you step through kind of line by line right but pyrite will actually inject your debugger into an already existing running process.
HubbleStack implementation and how many of you raise the hands have heard of salt before or SaltStack yeah so all HubbleStack is is like extension to solve so if you already have your salt minions deployed then you implement Hubble on top of that and it uses that salt infrastructure to kind of do all these security functions on your targets so and it's kind of designed from the ground up to send data back to like a Splunk or elk type infrastructure.
BSides Nashville 2018 Red 00 Blue Cloud of Death Red Teaming Azure Bryce Kunz
Hacking AWS, Azure and IaaS infrastructure from BSides Nashville.