Skip to content

Welcome to the Electronic Workbook (EWB)

This EWB provides the step-by-step instructions to complete the AusCERT 2024 Security in an (Unmanaged) Azure Environment - A Practical Example workshop.

Synopsis

We've all been there. A team is lured by a shiny gadget or tool that promises to - and maybe actually does! - improve business outcomes and user satisfaction while reducing cost, development time, and integration headaches, and so boldy forges ahead! So it is with the fictional organization that is at the heart of this workshop, where a group of developers have started building out Azure Microsoft Entra ID applications but haven't followed the organization's technical review or change control processes. And as a result, have potentially introduced operational and security issues into the production environment.

In this workshop, we'll take on the role of a security architect that has been tasked with examining this unmanaged Azure environment by replicating and probing the environment for security issues, so that we can demonstrate security issues to the over-zealous developers and bring them back into the fold.

Scenario

You are a security architect employed by Tyrell Corporation, a large multi-national organization. Tyrell Corp has embraced a multi-cloud cloud service provider (CSP) vendor strategy using AWS for customer-facing marketing and ordering, tracking, and delivery services; Microsoft Entra ID for on-premises infrastructure; and M365 subscriptions for employees to access Exchange Online, OneDrive, and other collaboration tools.

Company executives embrace Microsoft products for their ease of use, and Microsoft Entra ID has been deeply integrated into the on-premises data center and remote offices. The CIO, CTO, and VP of Engineering have been pushing to take advantage of Tyrell Corp's existing Azure account and use the Microsoft Identity platform to synchronize with the existing corporate Microsoft Entra ID. Executives also want to investigate potential new applications in Azure.

For these reasons, some developers have started building test Azure Microsoft Entra ID applications. However, the developers have not followed technical review or change control policies, and as a result there has not been any oversight involving the Information Security team. The CISO has ordered a security review into some of the recent development work and operational changes within the Azure environment, and has asked for recommendations on improved detection and logging capabilities within the Azure environment.

You have been assigned the task of generating a test environment that replicates key aspects of Tyrell Corp's Microsoft Entra ID environment, exploring it for potential security issues, and reporting your findings.

So that you can perform that task -- and as a trusted Security Architect and Engineer -- you have been granted the Global Administrator role in an Azure account. This grants you the ability to create and manage a new subscription, and access to all administrative features within the subscription's associated tenant.1,2,3

Labs

The workshop is broken up into a series of 'mini labs' designed to take you through key activities:

  • Azure Account Setup: Creating or accessing an Azure account and creating a subscription.
  • Azure Environment Setup: Creating a test environment using PurpleCloud and Terraform.
  • Manual Reconnaissance: Performing manual reconnaisance on the environment to identify service principals with excessive privileges.
  • Privilege Escalation: Leveraging discovered service principals to escalate to Global Administrator, to demonstrate the security weakness.
  • Teardown: Tearing down the test environment using Terraform and manual clean-up.

Requirements

To execute the workshop steps yourself, you'll need:

  • A laptop or computer that is able to access the Internet, specifically Azure cloud services.

  • Either:

    • Access to an Azure account that you are willing to use to create, configure, and tear down an Azure subscription; or
    • An email address not already associated with an Azure account, and willingness to follow the EWB instructions to set up an Azure account and subscription for that email address.

Caveats, Disclaimers, and Alarums

The Ever-Changing Web

These instructions were successfully tested on 2024.05.15. That said, things are always changing on the Web. Some prompts or visual elements may be slightly different than are presented here, so you may have to make some minor adjustments on the fly. But the labs' step-by-step instructions should be sufficient to get you there!

As one specific example: While Microsoft has renamed Azure Active Directory (AAD) to Microsoft Entra ID, some tools and resources - including some that we use and reference in these labs - still reference AAD. Some of those tools and resources will be updated over time to reference Entra ID, and you may notice those changes as you work through the labs.

Browser Support

You should be able to use any standard web browser. The Step-by-Step Instructions for all the workshop's labs have been tested in Google Chrome, Microsoft Edge, and Firefox; most of the screenshots are from Chrome and Firefox.

Getting Started!

To get started, continue to the Azure Account Setup lab!

Credits

This workshop is based on a series of bonus labs from the SANS course SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise.4 Those labs were in turn based on a SANS blog post by Jason Ostrom,5 and uses Jason's PurpleCloud tool.6

  1. Microsoft. (2024, March 15). Azure roles, Azure AD roles, and classic subscription administrator roles. Microsoft Learn. Retrieved May 17, 2024 from https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

  2. Microsoft. (2024, April 29). Azure AD built-in roles. Microsoft Learn. Retrieved May 17, 2024 from https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

  3. Microsoft. (2024, April 29). Azure AD built-in roles: Global Administrator. Microsoft Learn. Retrieved May 17, 2024 from https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator

  4. SANS Institute. (n.d.) SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise. SANS. Retrieved May 18, 2024 from https://www.sans.org/cyber-security-courses/defensible-security-architecture-and-engineering/

  5. Ostrom, Jason. (2021, June 3). Build, Hack, and Defend Azure Identity - An Introduction to PurpleCloud Hybrid + Identity Cyber Range PurpleCloud is a Hybrid + Identity Cyber Security Range built for Azure Cloud with automated deployment scripts. SANS. Retrieved May 18, 2024 from https://www.sans.org/blog/build-hack-defend-azure-identity/

  6. Ostrom, Jason. (2024, February 18; commit ec010a6a8b0979f2b63e909b3662ce557cc57615). PurpleCloud. Retrieved May 18, 2024 from https://github.com/iknowjason/PurpleCloud