This is a personal blog and all content herein is my personal opinion and not that of my employer.
Enjoying the content? If you value the time, effort, and resources invested in creating it, please consider supporting me on Ko-fi.
Introduction
I recently had the privilege of attending the OFFENSIVE ENTRA ID AND HYBRID AD SECURITY workshop run by the brilliant Dirk-jan Mollema - author of offensive security tools ROADtools, ROADtools_hybrid and other tools.
I also had the additional privilege of attending the Insomni’Hack cybersecurity conference.
Both were hosted at the SwissTech Convention Center in Lausanne, Switzerland, on the EPFL campus (the Swiss MIT).
Stay tuned to the end of this blog where I’ll share resources I’ve created since then that will help you in defending your Entra tenant…
My Entra Hybrid History
When I first pitched this course and conference to my boss, I was asked if it would be of value as “you may know a lot of it already”.
While I’ll take the huge compliment, my response to my boss was: “as much as I know a lot about Entra - in some aspects it can be superficial. But this is going a lot deeper on attacking and therefore how to bolster our posture”.
That (and probably Dirk’s reputation) seemed to seal the deal!
Prepare for your mind to be blown, mine was!
Fast forward to March and I arrived at workshop ready to learn alongside 20+ other eager students, from a wide variety of different job roles and European countries.
I had dutifully setup my laptop following the course instructions and was ready to learn and to hack!
Day 1 - The more you know, the more you don’t!
Day 1 was the most theory intensive day - though there was still some lab action later in the day.
The labs were all Capture-The-Flag(CTF) style and a lot of fun but more on that later.
I had clearly had more experience than others with Entra specifically - as we worked through the introduction to core concepts I was quite happy at how much I already knew - I had every suspicion it was going to get much more difficult for me soon but it was nice not to feel out of my depth.
Dirk is also an excellent teacher and speaker, with a very approachable and laid back style.
Already though, I was gaining some insights and in some cases relearning things I thought I knew but was being schooled in how things really work!
Some examples:
- Entra Temporary Access Pass can be used for attacker persistence and stealth as it can be used for authentication alongside the account password simultaneously (WHAT?!?!)
- Application Administrator (and Cloud Application Administrator) can be effectively a Tier 0 privileged role in many tenants - due to over permissioned applications and too many people having these roles
Without giving anything away about the labs - it’s amazing how much you can find in a typical Azure/Entra setup to allow you to escalate privilege and move laterally and without necessarily needing any offensive tools whatsoever.
Day 2/3 - Hacker Mode
As we dug deeper into offensive tools and techniques and common misconceptions/misconfigurations, it encouraged us to think more like an attacker might do and some things struck me over the course of the workshop and the subsequent conference that broke my brain in the best of ways - it literally changed how I think!
I was doing things I was aware of from security blogs etc - but I had never appreciated how easy a lot of it is to execute (though we owe a LOT to Dirk and many other security researchers for doing the hard work of discovering the attack techniques in the first place and developing tooling to assist).
Insomni’Hack
First of all, I need to call out that this is the best conference I’ve ever been to!
Most of the talks (that I went to but also the majority of those on the schedule), were deeply technical offensive security talks - no marketing/sales pitches just well researched and well presented talks.
Talks that I attended:
(KEYNOTE) ADVANCED ANDROID ARCHAEOLOGY: BAFFLED BY BLOATED COMPLEXITY by Mathias Payer
Talk Description: https://insomnihack.ch/talks/advanced-android-archaeology-baffled-by-bloated-complexity/
Video:
BEYOND LSASS: CUTTING-EDGE TECHNIQUES FOR UNDETECTABLE THREAT EMULATION by Priyank Nigam
Talk Description: https://insomnihack.ch/talks/beyond-lsass-cutting-edge-techniques-for-undetectable-threat-emulation/
Video:
YOU CAN’T TOUCH THIS: SECURE ENCLAVES FOR OFFENSIVE OPERATIONS by Matteo Malvica & Cedric Van Bockhaven
Talk Description: https://insomnihack.ch/talks/you-cant-touch-this-secure-enclaves-for-offensive-operations/
CODE TO CLOUD: EXPLOITING MODERN WEB APPLICATIONS TO BREACH CLOUD ENVIRONMENTS by Christophe Tafani-Dereeper
Talk Description: https://insomnihack.ch/talks/code-to-cloud-exploiting-modern-web-applications-to-breach-cloud-environments/
DOUBLE AGENT: EXPLOITING PASS-THROUGH AUTHENTICATION CREDENTIAL VALIDATION IN AZURE AD by Ilan Kalendarov & Elad Beber
Talk Description: https://insomnihack.ch/talks/double-agent-exploiting-pass-through-authentication-credential-validation-in-azure-ad/
(KEYNOTE) THE AI PARADOX: SAFETY VS PERFORMANCE by Rachid Guerraoui
Talk Description: https://insomnihack.ch/talks/the-ai-paradox-safety-vs-performance/
Video:
THE RISE OF AI-DRIVEN MALWARE: THREATS, MYTHS, AND DEFENSES by Candid Wuest
Talk Description: https://insomnihack.ch/talks/the-rise-of-ai-driven-malware-threats-myths-and-defenses/
Video:
CACHE ME IF YOU CAN: SMUGGLING PAYLOADS VIA BROWSER CACHING SYSTEMS by Aurélien Chalot
Talk Description: https://insomnihack.ch/talks/cache-me-if-you-can-smuggling-payloads-via-browser-caching-systems/
Video:
THE ART OF MALWARE SMUGGLING (UNMASKING SVG-BASED ATTACK TECHNIQUES) by Dhiraj Mishra
Talk Description: https://insomnihack.ch/talks/the-art-of-malware-smuggling-unmasking-svg-based-attack-techniques/
DON’T LET JIA TAN HAVE ALL THE FUN: HACKING INTO FEDORA AND OPENSUSE by Thomas Chauchefoin & Maxime Rinaudo
Talk Description: https://insomnihack.ch/talks/dont-let-jia-tan-have-all-the-fun-hacking-into-fedora-and-opensuse/
Video:
DATA SETS THAT CAN MAKE A DIFFERENCE: IMPROVING YOUR HUNTING AND DETECTION IN ENTRA ID AND O365 by John Stoner
Talk Description: https://insomnihack.ch/talks/data-sets-that-can-make-a-difference-improving-your-hunting-and-detection-in-entra-id-and-o365/
Video:
BEYOND THE SURFACE: EXPLORING ATTACKER PERSISTENCE STRATEGIES IN KUBERNETES by Rory McCune
Talk Description: https://insomnihack.ch/talks/beyond-the-surface-exploring-attacker-persistence-strategies-in-kubernetes/
Video:
Wrapping Up - One Last Thing
I’ve not gone into any sort of review of these talks, though I may do in future.
Many of them were perfectly timed after the course by Dirk and the rest also landed when my brain was already rewired to be more offensively minded - a perfect week of learning!
I was keen on returning to gather my thoughts and I have now done so via a new GitHub project of mine…
I bring you KuShuSec - KuShu is a portmanteau of the Japanese words for Cloud (Kuraudo) and Guardian (Shugo) and is a collection of attack and defense tools for cloud services.
The first of these is a repository called KuShu-Atama.
KuShu-Atama (Atama is the Japanese word for Mind) is a visual mind map project designed to explore hybrid strategies in cybersecurity–specifically focusing on attack and defense models. This repository includes both source mind maps and generated artifacts in PDF and PNG formats for easy review and distribution.
The first mind map is, unsurprisingly, the Entra Hybrid Attack And Defence Mind Map which covers 7 different attacker activity types and 39 different techniques alongside tips for attack, prevention and detection.
I hope you find it useful and that you will contribute to it if you feel the need to.
Thanks for reading. Comments welcome below.