applied security research
Wesley Neelen - 05 mei 2020

Office 365 – malicious applications

This blog is part of our Office 365 attack & defense series. We also maintain a Github page where we share our Office 365 tools and queries.

Many organizations are moving (partially) to the cloud. One of the main components is Azure Active Directory (AAD). This is the cloud version of the on-premise Active Directory that many organizations are using or have been using in the past years. The adoption mostly has grown because AAD is required and automatically tied to Office365. But besides basic identity and access functionality, Azure Active Directory offers a ton of functionality. Such as this interesting feature called “app registrations”. This new feature could potentially be abused by attackers. Therefore, it is important to understand the inner workings of such attacks and implement defensive measures.

The app registration feature of Azure AD is a way to grant permissions / authenticate against an Azure Active Directory tenant using an application. Within the app registration it is possible to configure the scope of the permissions that are granted to the application.

Delegated permissions

When creating an app registration, it is possible to assign delegated permissions to access specific resources in the Azure Active Directory tenant on behalf of another user. If a user authenticates through the application, access is granted to the specified resources on behalf of the user account stored in the app registration.

These kinds of features could for example be used to access someone’s email if a victim authenticates into a malicious application. Some proof of concept applications have been published to perform this attack scenario against Microsoft Azure, such as PwnAuth. Generally, an attack follows these steps:

  1. the attacker creates a malicious multi-tenant app registration with a callback to a webserver controlled by him. The application requests access to the resources he wants to obtain (e.g. reading mail through Microsoft Graph API)
  2. the victim authenticates in the application (and ignores any messages) and is redirected to the attacker’s webserver including a newly added code value
  3. the attacker uses the code to get an authorization token
  4. the attacker uses the authorization token to query the specific resources, for example the Microsoft Graph API to read the users e-mail

Monitoring for abuse

Azure Sentinel can be used to detect a user that consents to an application. The following KQL query can be used to monitor  application consent to any application:

AuditLogs
| where OperationName == 'Consent to application'
| extend applicationDetails = parse_json(TargetResources)[0]
| extend appname = parse_json(applicationDetails)['displayName']
| extend scope = parse_json(applicationDetails)['modifiedProperties'][4]["newValue"]

Complete YML

This query can be used to detect more critical consents, with admin privileges:

AuditLogs
| where OperationName == 'Consent to application'
| extend applicationDetails = parse_json(TargetResources)[0]
| extend appname = parse_json(applicationDetails)['displayName']
| extend IsAdmin = parse_json(applicationDetails)['modifiedProperties'][0]["newValue"]
| where IsAdmin == '"True"'

Complete YML

If you want to review all consents that were granted to (external) applications in a tenant, this can be done manually through the Azure portal or through PowerShell. More information on this can be found in the Microsoft documentation here.

Reviewing all the applications manually through the Azure portal or PowerShell can be a time-consuming task. Therefor the author of PwnAuth created a script to hunt for potential malicious apps on multiple characteristics. This is a nice way to identify potentially malicious scripts and perform the further investigation manually for each application through the Azure portal or PowerShell.

Mitigation

Azure AD offers a configuration setting to disable the consent to all apps by users. Disabling this prevents a user granting access to company resources or information through applications.

If you prefer using PowerShell, the following one liner could be used to look up the current value of the setting:

Get-MsolCompanyInformation | select UsersPermissionToUserConsentToAppEnabled

The following PowerShell could be used to disable consent to applications for regular users:

Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled:$false

Application permissions

Another possibility is to assign application permissions to an app registration. These permissions can only be consented by an administrator. After those permissions have been consented, an attacker is able to access the Azure tenant through the application. This requires an attacker to have the application ID, tenant ID and application secret.

This method could be used by an attacker to keep access to an Azure tenant, for example when the admin accounts he obtained access to got locked out. By for example granting the Directory.ReadWrite.all permission to an application, he would be able to modify the directory data such as user and groups through the application. The following steps are required to perform this attack:

  1. the attacker compromised a tenant and obtained high privileges to the Azure tenant. Using the obtained access, he creates an app registration with applications permissions on the resources he wants persistence access to.
  2. the attacker grants admin consents to the application
  3. the attacker generates a certificate / client secret
  4. whenever the attacker wants to use the obtained access, he could use the certificate or client secret to perform his malicious actions.

Monitoring for abuse

The following Sentinel rule could be used to discover any application being added for further investigation:

AuditLogs
| where (OperationName == "Add application") or (OperationName == "Update application")

Complete YML

PwnAuth describes a default call path in its documentation. It is possible to hunt in sentinel for these kinds of applications being added, using the following query. This query would detect PwnAuth applications being created within the organizations tenant, using the default documentation information:

AuditLogs
| where (OperationName == "Add application") or (OperationName == "Update application")
| extend details = parse_json(TargetResources[0])
| extend properties = parse_json(details["modifiedProperties"][0])
| where properties["newValue"] contains "/oauth/api/microsoft/callback"

Complete YML

The same, earlier mentioned query, could be also used to detect whether an administrator within the tenant consents admin to an application within the tenant:

AuditLogs
| where OperationName == 'Consent to application'
| extend applicationDetails = parse_json(TargetResources)[0]
| extend appname = parse_json(applicationDetails)['displayName']
| extend IsAdmin = parse_json(applicationDetails)['modifiedProperties'][0]["newValue"]
| where IsAdmin == '"True"'

Complete YML

Mitigation

It is possible to disable the possibility to create app registrations by regular users. This prevents non-administrative users from creating apps to access resources through an app registration. It is possible to disable this settings through the Azure portal:

If you prefer using PowerShell, the following one liner could be used to look up the current value of the setting:

Get-MsolCompanyInformation | select UsersPermissionToCreateLOBAppsEnabled

The following PowerShell could be used to disable consent to applications for regular users:

Set-MsolCompanySettings -UsersPermissionToCreateLOBAppsEnabled:$false

Conclusion

Applications are a great way for attackers to obtain access to company resources. If they successfully phish a victim, they are able to obtain access to the organizations resources on their behalf. Also, applications can be used to gain persistent access in an already compromised tenant. If compromised accounts are locked out, but the malicious application is missed, it can still be used as an entry point into the tenant. Also, if registering of applications is allowed within a tenant (which is by default), a non-admin user could create a malicious app within the tenant of an organization, to phish others.

To minimize the chance of above attacks Zolder recommends:

  • If you do not require the app functionality, disable the possibility for users to consents to application
  • disable registration of apps by non-admin users
  • monitor for users consents with suspicious characteristics
  • monitor for admin consents, make sure to review every admin consents granted
Blogs

Hacking the traffic light of the future

Wesley Neelen - 06 aug 2020
Nowadays we are connecting everything we can think of to the internet. Usually to make our lives easier or more comfortable. Some of the new upcoming innovations are related to making our traffic smart with the goal to improve safety, comfort and the traffic flow. We dived into this technology to analyze the inner workings and identify potential security risks. Lees verder

Detect lateral movement with Azure Sentinel

Wesley Neelen - 01 jul 2020
Lately we have been setting up a the production network for our Zolder.App service. The network consists of multiple segments separated by a firewall. As an addition we wanted to add monitoring features into the network. If an attacker is in our network, we would like to get a notification. Lees verder

CSBN 2020

Erik Remmelzwaal - 01 jul 2020
Het jaarlijks CSBN is weer beschikbaar. Het Cybersecurity Beeld Nederland, opgemaakt door onze overheid in de hoedanigheid van de NCTV. Aan afkortingen geen gebrek. Dat maakt het gelijk ook heel taaie kost: ingewikkeld om te doorgronden. Je gaat haast denken dat het ook de bedoeling is dat we er niet teveel aandacht aan besteden. Of […] Lees verder

Detecting BEC fraud using Azure Sentinel

Rik van Duijn - 17 jun 2020
Business Email Compromise (BEC) Fraud inflicts the most damage of all types of cybercrime, according to the FBI. How to detect such attacks using Azure Sentinel? Rik shares some actual possibilities. Lees verder

Security-by-design. Zo makkelijk is dat niet

Wesley Neelen - 16 jun 2020
Wesley beschrijft de complexiteit bij het bouwen van een netwerk infrastructuur: kies je voor veiligheid of werkbaarheid? Of is er een optimale mix? Lees verder

Phishing aftercare

Rik van Duijn - 26 mei 2020
This blog is part of our Office 365 attack & defense series. We also maintain a Github page where we share our Office 365 tools and queries. We often get sent phishing emails by family and friends. Not to phish us but because we ask family and friends to forward them to us. Sometimes they […] Lees verder

Inside a phishing panel

Wesley Neelen - 20 mei 2020
Dutch and Belgium citizens are receiving phishing attacks every day. But how does that exactly work? Lees verder

DBIR 2020

Erik Remmelzwaal - 19 mei 2020
We hadden het eerder al over de moeilijkheid om een beeld te vormen van digitale dreigingen. Er is eigenlijk geen partij die hier een goed beeld van kan vormen. Maar als er 1 rapport is dat al jaren goede inzichten biedt gebaseerd op data uit heel veel gezaghebbende bronnen, dan is het DBIR. Het Verizon […] Lees verder

Wat zou er mis kunnen gaan?

Erik Remmelzwaal - 17 mei 2020
Waarom worden bedrijven slachtoffer van virussen die losgeld vragen? Of online afpersing? Of fraude met betalingen? Het antwoord: door gebrekkig leiderschap. Lees verder

Office 365 - Exchange rules

Rik van Duijn - 13 mei 2020
This blog is part of our Office 365 attack & defense series. We also maintain a Github page where we share our Office 365 tools and queries. Exchange rules can be useful in managing the emails we receive on a daily basis. For example, it allows users to automatically respond or move specific emails to […] Lees verder

Office 365 - malicious applications

Wesley Neelen - 05 mei 2020
Wesley dives into the App Registrations feature of Microsoft Azure Active Directory. Finds ways to abuse it through delegate & application permissions and shares ideas howto protect from such abuse. Lees verder

Security 4.0

Erik Remmelzwaal - 30 apr 2020
A vision of the digital future, the role of security and how it should adapt to be able to fulfill that role. Lees verder

Applied Security Research; more than just a pay-off

Rik van Duijn - 28 apr 2020
Rik beschrijft wat Applied Security Research voor hem betekent. En hoe we als Zolder die pay-off in praktijk willen brengen. Lees verder

Windows terminal profile fun

Rik van Duijn - 24 apr 2020
Rik plays around with the preview version of Windows Terminal to find manipulation options. Lees verder

Building a Zolder logo

Wesley Neelen - 22 apr 2020
Wesley writes about his most recent IoT project: building a Zolder logo with WS2812B ledstrips behind it, to give it some cool effects. Lees verder