Posts

Exploring the Dark Side of Package Files and Storage Account Abuse

Image
 Hello All, In this blog, we dive into the dark side of package files and Storage Account abuse within the Azure Function App service. We explore how package files can be leveraged to enhance the functionality of the Functions Apps, shedding light on the potential abuse of package files. By examining the connection between the Function App and Storage Account, we uncover how attackers can abuse the Storage Account's connection string to gain unauthorized access to the Function Apps. We will provide step-by-step insights into replacing binary files and deploying custom code, enabling attackers to take control of the Function App.  The research was jointly done by  Raunak and myself . What are Function Apps? Function Apps (Lambda in AWS) are serverless computing services provided by Azure Cloud. They allow developers to build and deploy small, functions that can be triggered by events such as simple HTTP request. Function Apps provide an environment for executing our code without th

A primer on DCSync attack and detection

Image
 Hello All, Active directory is a backbone of almost all the organizations. It helps the IT team to manage the systems, users, policies etc, centrally across the complete network. Since it is integral part of the organization, it open's multiple opportunity for the attackers to leverage the features of active directory and abuse them for malicious intent. We will look at one such feature known as Active Directory Replication in this post.  In this post we will look at few approach that we can use to detect the DCSync attack and gain understand about the attack. DCSync attack and detection is already explained by Sean Metcalf & Will Schroeder in their blog post. About Active Directory Replication Domain Controllers (DC) are the pillars of Active Directory (AD) environment. Organizations often have multiple Domain Controllers for it's Active Directory as a backup or they have different Domain Controllers for each location so that the authentication and other policies can be

#OMIGOD - CVE-2021-38647

Image
Hello All, In this blog post, we will explore the Unauthenticated Remote Code Execution vulnerability discovered by the WIZ team in Azure Open Management Infrastructure (OMI) application that was assigned a CVE ID - CVE-2021-38647. The blog post published by the WIZ team contains all the details that are required to exploit the vulnerability if a vulnerable instance is available. While reading the blog post, we thought of reproducing the scenario and create some quick PoC to exploit the vulnerability. We are releasing Proof of Concept (PoC) code in PowerShell & Python. The PoC code is published on the Github repo . About Azure Open Management Infrastructure (OMI) OMI is a UNIX/Linux application installed on the Azure UNIX/Linux VM that allows users to manage the machine & configuration remotely & locally. It is equivalent to Windows WMI that uses the Common Information Model (CIM). It runs with root privileges. The OMI application gets installed automatically when service

Abusing Resource-Based Constrained Delegation (RBCD) using Linux

Image
Hello All, In this post we will discuss on how to perform Resource-Based Constrained Delegation (RBCD) attack from an Linux machine to be specific we will use Kali Linux as an attacker machine. RBCD attacks is already been explained in detailed by  Will Schroeder ,  Elad Shamir  &  Dirk-jan Mollema  in their blog posts.  What is Resource-Based Constrained Delegation (RBCD) ? In Windows Server 2012 Microsoft introduced a new type of delegation wherein the Service Administrators or Owner of the resources are allowed to configure which accounts are trusted to delegate to them. As per the Microsoft Docs this can also be configured across the domains.  This also shifts the decision of whether a server should trust the source of a delegated identity from the delegating-from domain administrator to the resource owner. Access is controlled by the security descriptor on the target resource instead of an list of SPN records. The security descriptor are stored in  msDS-AllowedToActOnBehalfOf