TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Reconnaissance: Azure Cloud w/ Kevin Klingbile

BHIS · 2024-10-07 · Read original ↗

ATT&CK techniques detected

20 predictions
T1110.003Password Spraying
92%
"username lookup is going to come from a different aws ip address by using fireprox. when we get to password spraying, this gets especially interesting. and we ’ ll talk about that coming up. but we can enumerate with o 365 enum, this specific plugin. this command here will use cr…"
T1110.003Password Spraying
83%
"be from the attacker ’ s perspective or your perspective auditing your own organization or checking, validating your own organization. there ’ s some quick wins with credentials. one of the utilities i really like is just 0365 recon. 0365 recon. when you import it it ’ s going to…"
T1525Implant Internal Image
82%
"within azure hound that you can query from a tenant perspective, go through, pull the azure hound, start to look through what those objects are and potentially how you can elevate in that tenant graph. runner another bhis tool. so getgraph tokens will pop up and prompt for device…"
T1525Implant Internal Image
80%
"##ed master, and graph runner for detailed recon and potential exploitation. highlights full video transcript kevin klingbile all right, i lied a little bit on the topic. i ’ m going to start out with that. i said azure cloud. we ’ ll get into the reason why i said azure cloud. m…"
T1556.006Multi-Factor Authentication
77%
"sign ins. these user logs were also shown as obviously unprotected sign ins. so just a bit of an oddity there. so i recommend even if it says zero, click the box and check. but one of these reasons for the single factor authentication is again we find conditional access is like i…"
T1087.004Cloud Account
76%
"how to do reconnaissance for azure. we do have questions, but we ’ ll get to them in some post show banter. so we ’ re running out of official time. so, kevin, if you could sum up everything today in one final thought, for people to take with them, what would it be? kevin klingbi…"
T1580Cloud Infrastructure Discovery
74%
"reconnaissance : azure cloud w / kevin klingbile reconnaissance : azure cloud w / kevin klingbile in this video, kevin klingbile from black hills information security discusses the intricacies of azure cloud services and m365, focusing on the differences between unauthenticated a…"
T1087.004Cloud Account
72%
"as the previous slide that i just went through. but this will give us the actual auth url portal and tell us whether they ’ re federated or managed. then additionally with aad internals is going to give us list of other url ’ s, other domains rather that we may not have been awar…"
T1528Steal Application Access Token
72%
"and it ’ ll go through and check whether or not we ’ re valid. so the additional thing that i noticed that bo is doing with this, literally was playing with this, i think last night, was he ’ ll actually save the token off. so if we look at it from the perspective of find me acce…"
T1110.003Password Spraying
71%
"lock those down. then we ’ re going to look at cred master from a username enumeration. there ’ s a lot of things we can do with cred master. we do user enumeration, we can do password spraying, we can do a few other tasks. i ’ m going to cover user enumeration first here, and th…"
T1556.006Multi-Factor Authentication
68%
"as testers find an active account that ’ s not actively used by a user that we password spray successfully and we set up the multi factor for the user. i ’ m not aware of anything in azure that as an active configuration option. m, m365 i said that m365 is limited in what we can …"
T1526Cloud Service Discovery
62%
"reconnaissance : azure cloud w / kevin klingbile reconnaissance : azure cloud w / kevin klingbile in this video, kevin klingbile from black hills information security discusses the intricacies of azure cloud services and m365, focusing on the differences between unauthenticated a…"
T1098.007Additional Local or Domain Groups
59%
"? and then we go through and we dump those caps if we ’ re trying to be sneaky about it. and now we go through those caps and see is there any way that we can bypass this rather than going through and hitting it with a sledgehammer, with a find me access or something? obviously g…"
T1110.003Password Spraying
56%
"different endpoint that we can password spray against azure. just yet another example. so we got creds, i don ’ t know if you saw it. right back here we ’ ve got this adele v as some domain with yet another weak password one bang. let ’ s go ahead and just do a quick exploitation…"
T1589.002Email Addresses
56%
"file. now obviously we have to know the email scheme being used by the company. there are a couple ones here. so we have like john smith. so first, last, first name, last name for roughly 250, 000, i think it ’ s 246, 000 and change, usernames. and then we ’ ve got a couple other…"
T1110.003Password Spraying
49%
"##min at this company. and then failure this aad sts error code azure active directory sts error code i actually have on the notes for this slide deck, the link out to all of the different various aad error codes. but in this case we see request body must contain the following pa…"
T1528Steal Application Access Token
42%
"a device code once you authenticate with that device code again provided you have the multi factor auth or you can somehow gather a different way, then we can run gather and it ’ ll give us a nice webpage, with users, groups, devices. just a really great dump of that. again data …"
T1566.002Spearphishing Link
39%
"we ’ re going to get to this soon. beware of false negatives. so just because you look at the mx record and you don ’ t see mail protection, outlook. com doesn ’ t mean that mail isn ’ t working on that tenant. whenever you sign up for a tenant and you start adding different reso…"
T1078.004Cloud Accounts
32%
"last time i ran it, but it was probably a couple hours, to run through and test the 250, 000 against a specific instance. now i didn ’ t cover azure recount from the standpoint of compromised credentials. obviously there ’ s going to be some form of compromised credentials that a…"
T1110.003Password Spraying
30%
", we can see the user outlook emails open up one of those emails and we say please don ’ t tell anyone this time. here ’ s your password. so you ’ d actually get a list of multiple emails here if they had more than just one email. now teams filtration can do a lot of the other st…"

Summary

This webcast was originally published on September 26, 2024. In this video, Kevin Klingbile from Black Hills Information Security discusses the intricacies of Azure Cloud services and M365, focusing on […]

The post Reconnaissance: Azure Cloud w/ Kevin Klingbile appeared first on Black Hills Information Security, Inc..