Managed Identity attack path connect Subscription resources back up to AzureAD tenants Conclusion With certain privileges, one can extract JSON Web Tokens (JWTs) from Azure Resources and impersonate their Managed Identity-associated service principals. The configuration and mechanics of a Managed Identity assignment provide reliable data collection and abuse primitives. However, as an attacker, I find Managed Identities even more appealing. The resource can authenticate as its associated service principal, as Azure validates the Managed Identity assignment between the two objects.
They eliminate the need for compute resources to store or fetch credentials by associating a privileged identity with specific resources. The seven AzureRM services mentioned above share a common feature: they all support managed identity assignments.Īs a defender, I appreciate Managed Identities. How do those attack paths work? I’m glad you asked! Let’s talk about: More Managed Identity Attack Paths These seven services are commonly used in customer environments and while AzureRM roles are generally easier to audit compared to AzureAD roles, we often encounter attack paths that traverse through these services as well. *Function Apps and Web Apps are technically part of the same service, but they have distinct functionalities that warrant separate modeling. BloodHound 4.3 now supports seven additional AzureRM services, including: Microsoft continuously adds new services to Azure Resource Manager, and we strive to keep pace by researching abuse primitives across the AzureRM landscape. BloodHound models the effective outcomes of MS Graph app role assignments More Attack Paths in Azure Resource Manager This simplifies the process of discovering attack paths, as you no longer need to manually track each app role assignment and remember their significance.
BloodHound 4.3 models this outcome by creating post-processed edges labeled as AZMGAddOwner, linking to every Service Principal. Despite their power, MS Graph app roles can be challenging for admins to audit effectively.īloodHound 4.3 makes it easy to find attack paths traversing abusable MS Graph app role assignments by modeling not only the app role assignments themselves, but the relevant outcomes of those configurations, as well.įor instance, if a Service Principal is granted the app role, it gains the ability to add new owners to all other Service Principals in the tenant. MS Graph app roles are commonly used by third-party applications to perform various tasks in Azure Active Directory, such as managing user group memberships, creating service principals, and managing Azure AD admin role assignments. New Features in BloodHound 4.3 Microsoft Graph Attack Paths We would like to credit Simon Décosse as a co-author of BloodHound 4.3. The SMSA work didn’t quite make it in time for the BloodHound 4.3 release but will be introduced in a fast follow-up. Thank you to Simon Décosse for his two contributions to this release: a BloodHound PR making AZResetPassword edges more accurate, and another BloodHound PR and corresponding SharpHoundCommon PR for introducing attack paths traversing Standalone Managed Service Accounts (SMSAs). We would like to credit Cristian M as a co-author of BloodHound 4.3. Cristian’s PRs also add support for Storage Accounts, which we will be including in a future update. Thank you to Cristian M for his AzureHound PR and BloodHound PR to bring support for attack paths traversing Automation Accounts, Logic Apps, Web Apps, and Function Apps. Thank you to Hugo as well for his BloodHound PR to implement this feature - we went with a different implementation for the GUI and database structure but wish to credit Hugo as a co-author for BloodHound 4.3. Thank you to Hugo Vincent for his AzureHound contribution which adds app role assignment enumeration, enabling the MS Graph attack path feature. Shoutouts to the following folks for making material contributions to this release: Major Contributions from BloodHound Users
0 kommentar(er)
