SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx

Purple Teaming Cloud
Identity: Simulation Labs
for Red and Blue teams
SANS Pen Test Hackfest 2022
Jason Ostrom
November 14, 2022

Hey What’s up, I’m Jason
• Builder of things @SANS Institute
• Certified Instructor @SANS, SEC588  “Cloud Penetration Testing”
• Founder, Principal @Stora Security
• Community tool author
• Family, hockey, football
New tool! Cloud “edge” bug
bounty and recon tool
github.com/iknowjason/edge

Agenda for today
• Purple Teaming
• Infrastructure as Code (IaC)
• Labs Overview
• BlueCloud & PurpleCloud
• Demo

Infrastructure as Code (IaC)
• Infrastructure as Code is the managing and provisioning of infrastructure
automated through code instead of manually.
• Configuration is code stored in a VCS (Github, Gitlab)
• Declarative, tracking desired state
• Benefits: Speed, consistency, repeatability, lower cost
• Each cloud provider has their own IaC service
• Two popular multi-cloud platform tools: Pulumi & Terraform

Terraform Overview
• Terraform is a free, universal, and popular IaC tool that can manage infrastructure
with declarative files
• Build, change, and version infrastructure in AWS, GCP, Azure
• Providers: plugins that talk to API for different cloud providers and can provision
Infrastructure, DNS, SaaS services, Kubernetes
1. terraform
CLI
2. Terraform
Provider 3. Target
API
$ terraform init
$ terraform plan
$ terraform apply
Terraform uses Hashicorp
Configuration Language
(HCL)
Terraform can also be used to auto provision resources in
Identity solutions such as Azure Active Directory!
Terraform
Registry
AWS
Azure
GCP

Pulumi Overview
• Pulumi is a free and universal IaC tool that leverages existing programming
languages to interact with cloud resources through the Pulumi SDK.
• Use Python, Go, JavaScript to to build, change, and version infrastructure in AWS, GCP, Azure
• Also uses the desired state model like Terraform
Pulumi CLI
&
Deploymen
t Engine Resource
Provider &
Plugin
Cloud
Providers
Python
Go
TypeScript
C#
Java
yaml
Pulumi SDK
AWS
Azure
GCP

Security as Code (SaC)
• Using code within a DevOps SDLC environment to help meet security
requirements.
Security Unit
Testing
within CI/CD
Security
Testing
Scripts
Security
Abuse
Stories
Security User
Stories
Security
Acceptance
Criteria for
Projects

Purple Teaming Overview (1)
• Purple Teaming: Red and Blue teams collaborating as a team to make defense
better

• Adversary Emulations run, from collaboration comes improvements:
• Adding better log sources
• Log Enrichment
• Improve Detection Engineering
• Process improvements
• Training for blue team

https://www.sans.org/blog/shifting-from-penetration-testing-to-red-team-and-
purple-team/
https://www.sans.org/blog/building-internal-red-team-go-purple-first/
https://www.sans.org/blog/purple-teaming-threat-informed-detection-
engineering/

Why Simulation Labs?
• Learning a new technology
• Detection Engineering labs for properly instrumenting logs to detect attacks
• ”Detection as Code” as an ideal state
• Training Red and Blue teams, experimenting with a specific tool or
technique against a simulated EDR endpoint or AD environment
• Purple Teaming exercises
• R&D security research
• Bug bounty
• Malware lab
• Fun!
Purple Teaming: To test and improve
people, process, and technology. In
Cyber Ranges, the focus is on training
people and improving technology. The
Detection Engineering process is running
emulations in the Simulation Lab to
improve logging and technology. These
changes eventually go into production.

Overview of Labs (2)
• DetectionLab
• https://www.detectionlab.network/
• Splunk, Velociraptor, OSQuery with Fleet, Sysmon, Logging best practices with
WEF/WEC
• Splunk Attack Range
• https://github.com/splunk/attack_range
• Splunk, Sysmon, Remote attack simulations using Ansible + Python + ART / Prelude
• Adaz
• https://github.com/christophetd/Adaz
• Azure, ELK, Multi-Host AD with Domain Join, WEF, Audit policies

GHOSTS: User Simulation Framework (1)
• A user simulation framework for complex, realistic NPC orchestration
• NPC: Non-player characters: Realism of users and their behavior running
applications on an enterprise network
• Test skills and train network defenders with real NPC players operating on
the network creating static and background noise
Image Source: https://github.com/cmu-sei/GHOSTS

GHOSTS: User Simulation Framework (2)
• Grafana Dashboards and API
• GHOSTS Windows client binary runs user behavior based on JSON files
• Created by Carnegie Mellon University Software Engineering Institute:
https://github.com/cmu-sei/GHOSTS
• GHOSTS is a great tool for enhancing any Simulation Lab with realistic,
user behavior
Image Source: https://github.com/cmu-sei/GHOSTS

GHOSTS Use Case with Simulation Labs

Lab Types by Focus Area
Detection Engineering is used to run emulations that improve logging and technology. The Labs that include multi-host AD will
better inform complete attack coverage, exploiting trust relationships between domain joined systems and authenticated
sessions.
Detection Engineering
transforms an idea of how to
detect a specific condition or
activity into a concrete
description of how to detect
it.
Credit: Florian Roth

Labs Evolution
Azure HELK
Azure
Velociraptor
BlueCloud
PurpleCloud

BlueCloud Simulation Lab
• Easily spin up a small Detection Engineering lab in AWS or Azure
• Logging server runs Velociraptor + HELK (velocihelk)
• Windows endpoint instrumented with Velociraptor agent that auto-registers
• Windows endpoint instrumented with Winlogbeat that ships Sysmon logs
using Kafka transport to HELK
• Three tools on endpoint for adversary simulation
• Atomic Red Team, Elastic Detection RTA, and APTSimulator
BlueCloud is currently single Windows
host.

PurpleCloud
A little tool to play with
Azure Identity
Azure AD lab creation
tool

PurpleCloud Simulation Lab (1)
• PurpleCloud is an open-source tool that automates creation of simulation
labs in Azure
• Site: https://www.purplecloud.network
• Author: Jason Ostrom
• Terraform code generators that create unique labs for different use
cases

PurpleCloud Simulation Lab (2)
• What it is
• “Build your own lab” style of lab creation (unstructured)
• For security researchers, Blue, Red, other security enthusiasts
• Run attack simulations and understand defenses
• Bug Bounty
• Mix and match labs to create a custom, Hybrid Identity enterprise
• User Story: used it for creating a Detection Engineering training class
• What it is not
• Guided, structured vulnerability labs

Generator Usage & Workflow
• Step 1: Run python terraform code generator
• Step 2: Initialize terraform configuration
• Step 3: Create a terraform plan
• Step 4: Apply terraform plan
• Step 5: Terraform destroy
% cd generators/adfs
% python3 adfs.py
% terraform init
% terraform plan –out=plan.run
% terraform apply plan.run
% terraform destroy

Azure AD Lab Generator
• Creates an Azure Active Directory lab filled with Azure users, groups, and
applications
• Key Features
• Randomly generate Azure AD users using faker library for simulated users
• Customizable list of Groups Added (Default: 11)
• Customizable list of Azure AD Applications and Service Principals (Default: 7)
• Users auto-assigned randomly into Groups
• Includes a vulnerable privilege escalation scenario and attack scripts
• Example Usage
% python3 azure_ad.py --upn rtcfingroup.com --count 500 --apps 3 --groups 5
First of its kind Azure AD open-source tool to auto-generate Azure AD
lab

Outputs Files in Text and CSV for other tools

Create Azure Applications and Groups: Auto-
assign users into groups
100 users are randomly placed
into 5 different Azure AD
Groups.

Service Principal Abuse Attack Scenario Created
Hat tip and credit to security researchers (Andy Robbins, Dirk-jan
Mollema) for their writeups on this issue. Original articles are included
in references section.

Adversary Behaviors
• Simulate adversary techniques mapped to the Azure Threat Research
Matrix: https://microsoft.github.io/Azure-Threat-Research-Matrix/

Detection Engineering (1)
• Start the process of Detection Engineering with Adversary Emulations
• Password Spray: Attacker rotates IP addresses using Amazon API
Gateway
Adversary runs a Password
Spray and rotates their source
IP address using Amazon API
Gateway. Note the different
location and user in each
request.

Detection Engineering (2)
• Password Spraying using Amazon API Gateway can be detected and
blocked
• Use Amazon’s published IP prefixes to parse all API Gateway prefixes
• Lookup IP address of password attempt against the list
• Instrument SIEM, WAF, or Firewall to detect a threshold of password attempts and
block
curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="API_GATEWAY") | .ip_prefix'

Sentinel Detections
• Use Azure Sentinel and KQL queries for detection improvement
• Example KQL: union SigninLogs Build KQL detections and
automate processes for
detection engineering.
Map Azure-specific TTPs
using the Azure Threat
Research Matrix.

Service Principal Privilege Abuse Primitives

Detection Engineering & Sentinel
• Example KQL
• Detect Service Principal Logins
• Detect changes to App Role Assignments
• Detect adding secrets to applications
AuditLogs
|where OperationName =="Update application – Certificates and secrets management" and
Category=="ApplicationManagement"

Active Directory with
SIEM & Velociraptor

Active Directory + SIEM Lab Generator (1)
• ad.py is a Terraform generator for an Active Directory Lab created with Azure VMs
and includes support for Velociraptor and a SIEM using Hunting ELK
• Key Features
• Create a custom IaaS Active Directory environment with Azure VMs
• Deploys a SIEM (Hunting ELK) and endpoints instrumented with
Sysmon/Winlogbeat/Velociraptor/Atomic Red Team
• Endpoints include PurpleSharp
• Downloads Azure AD Connect msi installer onto DC’s desktop
• Example Usage
% python3 ad.py --domain_controller --ad_domain rtcfingroup.com --admin RTCAdmin --password
MyPassword012345 --csv users.csv --endpoints 2 --domain_join

Active Directory + SIEM Lab Generator (2)
• Create a customizable, realistic, large AD environment
• Import users from CSV, or randomly generate users
• Random Generator creates as many users as you desire
• Automatically creates OU, AD Groups, and assigns users into OU, Groups
• Automatic Domain Join: Configurable Domain Join per VM
• Auto-logon Domain users with Domain credentials, for realistic simulations
(Interactive Type 2 Logon, Mimikatz)
• Great for practicing or learning Active Directory

Simulate an On-Premise Active Directory Lab
Create an AD Domain with 500 AD users. Create
three Windows 10 Professional endpoints, joining
them to the domain.

Users Placed into OU and AD Groups automatically

Each Windows 10 Pro Endpoint has a custom
Terraform file created (for further editing if desired)

Active Directory Created with 3 Domain Joined
500 Domain Users assigned
into different OU and AD
Groups.
Three Windows 10 Pro joined to the
domain based on Python script.

Auto Logon Domain Users with AD credentials
With this feature, you can
practice lateral movements
across domain joined systems
and extracting domain
credentials from LSASS
memory.

Passwords in AD default to Strong, but
customizable
Specify your desired password
for all users via command line
parameter.
Default behavior is to auto-
generate a strong password
and assign to all users, putting
into CSV file.

Build Hunting ELK + Velociraptor with one endpoint

PupleCloud IaaS Advantage
• Advantage of PurpleCloud:
• Practice simulations against Domain Joined workstations with users logged
in with domain user credentials
• Simulate lateral movement in AD enterprise
• Simulate extraction of domain user credentials from memory
• Windows and Sysmon logs shipped to a SIEM (HELK)
• Sysmon v14
• Customize your XML (uses SwiftOnSecurity)
• Study forensic artifacts with Velociraptor
PurpleCloud is a solid lab to learn
Active Directory

HELK: The Hunting ELK (1)
• PurpleCloud automatically builds HELK as the SIEM
• https://github.com/Cyb3rWard0g/HELK
• Endpoints ship Sysmon logs via Winlogbeat agent
• HELK hardware option #4 is built for Jupyter Notebooks + ElastAlert

HELK: The Hunting ELK (2)
• Endpoints configured with Sysmon Version 14
• SwiftOnSecurity XML configuration
• Files included in Github repository and can be customized
• winlogbeat.yml
• Sysmon.zip
• Symonconfig-export.xml
user@host ad % cd files/velocihelk
user@host velocihelk %
user@host velocihelk % ls
helk.sh.tpl
sysmonconfig-export.xml
winlogbeat.yml.tpl
user@host velocihelk %

Velociraptor Live Response
• PurpleCloud automatically install a Velociraptor Server
• Deploys Velociraptor agent on Windows systems
• https://github.com/Velocidex/velociraptor
• Endpoint visibility tool for digital forensics and live response
• Uses Velociraptor Query Language (VQL) to interrogate hosts and pull
forensic artifacts

Hybrid Identity Lab
• Advantage of PurpleCloud
• Creates an Azure AD lab + On-Premise AD lab
• Automates creation of a mixed-use Hybrid Identity lab
• Drops latest Azure AD Connect on DC’s Desktop
• Use Azure AD Connect agent to synchronize users from on-premise to Azure AD
• Saves time and effort doing manual installation
• Attack simulations against Azure AD Joined Windows 10 and Hybrid Joined
devices that are also joined to On-Premise AD
We are seeing a large growth of
companies deploying Hybrid cloud,
mixing On-Premise with Cloud systems,
& synchronizing users into the Cloud.

Microsoft Sentinel Lab Generator
• Creates a Microsoft Sentinel and log analytics workspace lab with
endpoints
• Key Features
• Endpoints install Azure Monitoring agents and send logs to Log Analytics workspace
• Endpoints install Sysmon v14
• Sentinel Data Connector for Office
• Sentinel Data Connector for AAD
• Supports full Active Directory deployment with Domain Join (same as ad.py)
• Example Usage
% python3 sentinel.py --domain_controller --ad_domain rtcfingroup.com --admin RTCAdmin --password
MyPassword012345 --csv users.csv --endpoints 2 --domain_join

• Microsoft Sentinel KQL for Windows Event Logs:
• Windows Event Logs: union SecurityEvent
• Sysmon: union Event
• Run PurpleSharp
PurpleSharp is a C# adversary
simulation tool that executes
adversary techniques. It can
be used to generate and study
Sysmon logs that are shipped
to Sentinel.
https://github.com/mvelazc0/
PurpleSharp
PurpleSharp is downloaded to all
Windows 10 systems and can be
accessed: C:toolsPurpleSharp.exe

Application Consent Phishing Lab
• Creates a multi-tenant Azure AD application that can be used for consent
phishing attack and defense
• Key Features
• Multi-tenant Azure AD application that can be used to practice app consent phishing
• Customizable Graph API permissions (Default: Mail.Read, Files.Read)
• Script parameter to specify custom application name
• Script parameter to specify redirect_uri
• Example Usage
% python3 phishing_app.py --name PhishingApp --redirect_uri https://www.evilcorp.io/get_token

• Azure Portal: Audit Logs
• Example KQL: union AuditLogs
Audit logs can trigger alarms on
user behavior for application
consent to application permissions.

Managed Identity Lab Generator
• Creates a Managed Identity lab with an Azure VM Identity automatically
created and assigned
• Key Features
• Creates one Azure Virtual Machine with a managed identity assigned
• Default user assigned identity with role of reader on the subscription
• Script parameter to change role to owner or contributor
• Randomly generates one Azure AD user with a role of Virtual Machine Contributor
• Script parameter to add a system-assigned identity to the Virtual Machine
• Creates storage account, containers, blobs, shares, and key vaults
• Example Usage
% python3 managed_identity.py -u rtcfingroup.com -n rtcfin -l eastus -a RTCAdmin -p MyPassword012345 -ua reader -sa

Acquire an Identity Access Token
An attacker with RDP
access can acquire the
Identity’s access token or
use az vm run command.
An attacker can sign
into Azure AD using
the VM’s managed
identity. Sign in logs
can track this
behavior.

• Azure Portal: Managed Identity sign-ins
• Example KQL: union AADManagedIdentitySignInLogs

Storage Lab Generator
• Creates an Azure Storage security lab
• Azure Resources Created
• Storage account
• Three storage containers with different permission levels (private, blob, container)
• Two azure shares
• Upload of fake, sensitive files to shares and containers as blobs
• Key vault with secrets, private keys, and certificates
• Example Usage
% python3 storage.py

Security Testing for Anonymous Blob Access
The Container access
level enables indexing of
files.
The simulation lab
uploads sample files.

Appending a string of
“?comp=list” to a storage
container with “container”
access level will reveal all of
the files in the target
container.

ADFS Lab Generator
• Creates an Active Directory Federation Services (ADFS) lab.
• Key Features
• Deploys an ADFS server joined to a created Domain Controller with AD Domain
• Deploys Azure Sentinel
• Deploys Azure monitoring agent on ADFS server and ADFS Audit log best practices for
shipping logs into Sentinel
• Supports self-signed ADFS certificate deployment (Default)
• Supports trusted CA certificate import using optional script parameters
• Implements ADFS Audit log best practices
• Example Usage
% python3 adfs.py --trusted_cert adfs.pfx --pfx_password password
Credit to Roberto
Rodriguez and his Azure
Simuland tool. The ADFS
Lab Generator was inspired
by Simuland.

ADFS Security Auditing logs
• Generate authentication events for success and failure
Credit to Roberto
Rodriguez for his blog on
enabling ADFS Security
Auditing.

• Example KQL
SecurityEvent
| where TimeGenerated >= ago(1d)
| where EventSourceName == ‘AD FS Auditing’

Extract Token Signing Certificate Used in ADFS
• Golden SAML
Credit to Dr. Nestori
Syynimaa, his Golden SAML
research, and his
AADInternals tool.
https://aadinternals.com

Instrument Sysmon Log Detections with KQL
• KQL: union Event

Azure AD Join Lab Generator
• Creates an Azure AD Join security lab with Azure Virtual Machines joined
to Azure Active Directory.
• Key Features
• Creates optional number of Windows 10 Endpoints and automatically joins them to
Azure Active Directory
• Deploys a system assigned Identity and optional user assigned identity on all Azure
VMs
• Creates simulated Azure AD users with role of Virtual Machine Administrator Login and
Virtual Machine User Login
• Example Usage
% python3 aadjoin.py --endpoints 1 -u rtcfingroup.com

• Azure Portal: User sign-ins (non-interactive)
• Example KQL: union AADNonInteractiveUserSignInLogs
• Connection IP addresses appear sourced from an Azure data center IP

PurpleCloud Use Cases
• PurpleCloud enables anyone to auto-create an Azure AD security lab for a variety
of use cases:
• Mapping Azure Threat Research Matrix to required security controls
• Create an Azure AD Lab mirroring customer tenant, to practice privilege escalation
• App Consent phishing campaigns + Social Engineering
• Create the lab with exact number of Azure AD users, to practice recon tooling,
username enumeration, password spraying behavior
• Blue teams to instrument Azure sign-in logs correctly + Detection Engineering +
Purple Teaming exercises
• R&D security research for new vulnerabilities or techniques
PurpleCloud can be used for Purple Teaming
exercises

Free SANS Workshop: Building an Azure AD
Pentest lab for Red Teams
• Free guided scenario vulnerability lab with playbook
• Registration URL: https://www.sans.org/webcasts/sans-workshop-building-
azure-pentest-lab-red-teams

Thank you for attending SANS Pen Test Hackfest!
• Thank you for attending my session!
• Contact Information
• Jason Ostrom
• Twitter: @securitypuck
• Email: jostrom@stora.io
• Mastodon: @securitypuck@infosec.exchange
• SANS Offensive Ops Discord: Consider joining the SANS Offensive Ops
Discord server.
• https://sansurl.com/discord
• Find us on #sec588

References
• [1] “Azure Privilege Escalation via Service Principal Abuse”
• https://bit.ly/3OUgAhN
• [2] “Azure AD privilege escalation – Taking over default application permissions as Application Admin”
• https://bit.ly/3R0jByC
• [3] “About Detection Engineering”
• https://cyb3rops.medium.com/about-detection-engineering-44d39e0755f0
• [4] “Azure Threat Research Matrix”
• https://microsoft.github.io/Azure-Threat-Research-Matrix/
• [5] “Lateral Movement With Managed Identities of Azure Virtual Machines”
• https://m365internals.com/2021/11/30/lateral-movement-with-managed-identities-of-azure-virtual-machines/
• [6] ”Azure Simuland”
• https://simulandlabs.com/README.html
• [7] “Enabling AD FS Security Auditing and Shipping Event Logs to Microsoft Sentinel”
• https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enabling-ad-fs-security-auditing-and-shipping-event-logs-to/ba-
p/3610464

SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx

More Related Content

What's hot (20)

Similar to SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx (20)

Recently uploaded (20)

SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx

Editor's Notes