The invisible connections of on-premise Active Directory environment, exist also in the cloud (Azure) Active Directory, allowing similar lateral movement techniques across users and computers in the cloud network.
The lateral movement graph aims to reveal those secrets and allows to investigate available attack paths truly available in the Azure directory environment.
To reveal those connections and map potential lateral movement paths in Azure AD environment, use AzureADLateralMovement data collector. The tool is useful for blue teams, with some admin permissions to collect Azure AD Graph data (i.e logons events).
To gather the information and build the graph for the on-premise directory tools (like Bloodhound) are using on-premise network protocols, well known in the reconnaissance phase. LDAP and SMAR protocols are used to list users, groups, devices and local administrators, while SMB session enumeration is used to communicate to each machine in the environment to find what active logon session are available and can become victims of impersonation. In the cloud, those details can all be collected using Azure AD API.
In Azure AD environment, the relevant data regarding Azure AD devices, users, logon sessions and even some types of local administrators can be retrieved through Microsoft Graph API. Once the relevant data is gathered, the tool builds lateral movement graph, revealing the classic connection between users, groups and Windows machines registered in the Azure Active Directory.
The cloud environment also reveals new type of connections, we haven’t seen in the on-premise, and for instance Oauth cloud applications have their own identity (ServicePrincipals) that can manipulate or impersonate other users.
Regarding the question whether impersonating a Azure AD user and whether lateral movement between Azure AD device is possible, read the following blog - Moving laterally between Azure Ad devices is possible.
How the tool works
The AzureADLateralMovement collector collects the relevant data from Graph API, stores it in a graph database and visualize the graph to ease the query for risky lateral movement paths in Azure AD environment.
To make this web tool e2e cloud based, it is based on the following resources so it can be deployed to a cloud platform:
- Environment -Hybrid AD/AAD environment synced using pass-through authentication
- API client -Microsoft Graph client (GraphServiceClient), a client to query Azure AD Graph
- Identity to query -Azure Oauth Application, the identity of the GraphSerivceClient
- DB -CosmosDB Graph, a place to store the content brought from the Microsoft Graph
- UI -Graph Explorer, an open source visualizer for CosmosDB Graph
- OOP objects -BloodHound UI and entities objects, thanks to @_wald0, @CptJesus, and @harmj0y
One of the main aspects is choosing what data is needed to build a graph that represents a real scenario of possible lateral movement paths, the list below extracted from using Microsoft Graph API, transformed to a graph objects and kept in the DB:
- Devices - AAD joined Windows devices only and their owner
- User - All AD or AAD users
- Administrative roles and Groups -All memberships of roles and group
- Local Administrators - The following roles are local admins in AAD joined device by default. Global administrator role, Device administrator role The user performing the Azure AD join
- Sessions - All logins for Windows devices
To get to that data, the AzureADLateralMovement collector is using Azure application and requests the rights of User.Read.All Directory.Read.All AuditLog.Read.All which allow the read all directory details and the directory audit logs which includes logon events.
The data pulled has already transformed to a lateral movement graph at this point, it can be visualized and queried with different graph visualizer client. I choose to use an open source client that allows the query with gremlin syntax.
The graph above looks like spaghetti, but once you’re focused on getting to Domain Admin for instance, you’re getting an elegant view of the classic connections of Azure AD objects.
There are two paths in the example above. Gina is a member of Company Administrators, this group is local admin on all AAD joined machines by default, including Desktop-RGR29LI where Raymond Holt is logged on in the last 2 hours and still has an active logon session. The other path, is based on that Terry is the “owner” of Desktop-RGR29LI, this can point to that Terry has created this machine and has local admin rights on it.
Another example, unique for cloud lateral movement, is if Oauth applications grant the following permissions Directory.AccessAsUser.All which allow them to change the passwords of all users in the directory. Once an application grants those permissions it can use those high permissions to change other accounts password, and access further devices along the path
The permissions Application.ReadWrite.All are also interesting to look after, as they allow the modification of “keyCredentials” of other applications. With that permissions, one application can add additional set of credentials to another application, which might have even extended permissions like as Roles membership modification.
I hope this web tool will help system admins, cloud operators and anyone who likes to watch and protect their Azure AD environments. As always, let me know if you find mistakes, would like to comment or ask.
