Supported Azure services and threats

The AzureLang supported services

This section describes supported Azure services and the type of threats and attacks that are simulated during the analysis.

Supported Azure services

RBAC (IAM)

Groups, Users, Roles, Role Assignments, Management Groups, Provider Operations, Managed Identities (System Assigned and User Assigned), Service Principals (App registrations),

API Management service

Manual APIs (Connected to App Services / Function App coming), Products, Subscriptions, Developer and Admins,

Application Insights

Established connections between services

App Service Apps and Functions

App Services, Function Apps, App Service Plans, Deployment Mechanism (Kudu based or FTPs), vnet integration, access restrictions (application firewall), App Level Credentials, Managed Identities,

Azure Kubernetes Service

Agent (Node) Pools (And the generated VMSS), Nodes, Pods, Azure RBAC (not Kubernetes RBAC via kubectl), Networking (Firewall part), Admin Azure AD Groups, Services, Cluster Identities, ContainerRuntime, Container

Container Registry

Repositories, Artifacts (container images), Azure ACR, Docker Credentials, Access Keys, Tokens, Scope Maps, Networking (Firewall part), Managed Identities

Cosmos DB

Connection Strings, Read/ReadWrite-URLs, Managed Identities, Databases for Cassandra, MongoDB, Gremlin and SQL.

Key Vault

Certificates, Secrets, Keys, Access Policies, Networking (Firewall part)

Networking

Virtual Networks, Subnets, Bastion Subnets, Network Interfaces, Network Security Groups, VPN Gateways, Route Tables, Public IP-Addresses

Storage

Azure database for MySQL, PostgreSQL and MariaDB, Connection Strings, Dedicated SQL Databases and Servers. Networking (Firewall part) on respective service,

Resource Group

Just IAM Operations

Service Bus

Service Buses, Topics, Queues

Storage Account

Storage Accounts, Blob Storage, Queues, Tables, File Shares, Networking (Firewall part), Access Keys, Shared Access Signatures,

Subscription

Just IAM Operations

Virtual Machine

Virtual Machines, Virtual Machine Scale Sets, Remote Management (Bastion, SSH, RDP), Disks, Managed Identities,

Threat library

Below is a summary of potential threats and attack that an attacker can use to reach high value assets in the simulations.

Initial access

The attacker will attempt to gain initial access to the Azure environment by:

  • Attempting to find reachable applications, services, databases, instances and containers by analyzing routing, network access control lists, security groups and gateways
  • Exploiting public facing applications, services, databases, instances and containers that are reachable from the internet
  • Attempting to access public facing services
  • Finding reachable applications, services and instances for client side attacks and forged responses
  • Scraping and spearphishing attempts against access keys, connection strings, app service credentials, user passwords and SSH keys
  • Intercepting Virtual MFA tokens
  • Attempting to access reachable applications and services by accessing leaked or stolen authorization codes and tokens from the identity provider

Privilege escalation

The attacker will attempt to elevate its privileges in the AWS environment by:

  • Assuming managed identities of compromised instances and services
  • Using spearphished credentials to gain access to high privileged IAM roles assigned to users, security principals and groups
  • Credential exfiltration of Docker passwords from config files via instances logging into Container Registries using docker
  • Cracking encrypted Container Registry Docker passwords.
  • Credential exfiltration of compromised docker images and containers
  • Tampering with the IAM configuration to give itself additional permissions or access to high privileged roles and groups
  • Creating new principal passwords, access keys and login profiles
  • Gain high privileged access by using the Run Command on Virtual Machine Instances

Lateral movement

The attacker will attempt to move in the Azure environment and gain additional access by:

  • Attempting to find internally reachable applications, services, databases, instances and containers by analyzing routing, network access control lists, security groups and gateways
  • Finding internally reachable applications for client side attacks
  • Attempting to access internally accessible databases and storage accounts
  • Adding firewall rules or removing network restrictions on specific services
  • Compromising source code repositories, and deploying a malicious build on applications or containers that assumes the resource's IAM role or other security principals to bypass access restrictions

Code execution

The attacker will attempt to gain persisted access or code execution by:

  • Updating code of existing App Service / Function App to inject arbitrary malicious code via FTP or compromising the CI/CD pipeline.
  • Container Registry repositories to push docker images with arbitrary malicious code
  • Gain code execution by modifying the Run Command script for Virtual Machine Instances

Denial of service and information disclosure

The attacker will attempt to disrupt normal operation or read sensitive data in the AWS environment by:

  • Using access to IAM users, roles and groups to perform actions that stops, terminates or deletes running instances, App Services, Function Apps, AKS clusters, containers and container services
  • Using access to IAM users, roles and groups to perform actions that deletes or writes to storage accounts, and databases
  • Using access to IAM users, roles and groups to perform actions that exfiltrates or reads data in storage accounts, and databases
  • Pulling docker images from Container Registry that might contain sensitive data or credentials
  • Using access to Key Vault to encrypt storage files and databases for denial of service or extortion
  • Using access to Key Vault to decrypt and read data in encrypted storage and databases
  • Assuming IAM roles within a compromised App Service, Function app , instance or container to read from storage that trusts other azure services
  • Downgrade SKU tiers on services to fill the monthly quota, denying access for other users
  • Modify node pool counts in AKS clusters to limit computing resources
  • Elevating stolen access token's scope by exploiting weak input verification on the Identity Provider
  • Exploiting applications with improper input validation to perform SQL injection on connected SQL databases