What is the SPACE Framework? See how Doppler’s features improve your team’s wellbeing, efficiency, and secrets management posture
The post How Doppler aligns with your SPACE framework appeared first on Security Boulevard.
If I have a command and control (C2) agent on an Intune admin’s workstation, I should just be able to use their privileges to execute a script or application on an Intune-enrolled device, right?
Not so fast.
I Wanna Go Fast!We often find ourselves in the context of a cloud administrator when following attack paths to objectives that require privileged access to Azure-hosted services. We want to use their Entra ID account’s privileges to execute actions in Azure, for example running arbitrary code on remote Intune devices (a.k.a. the “Death from Above” attack path detailed by Andy Robbins), but we have some hurdles to overcome to accomplish this from a C2 agent:
Let’s look at these problems one at a time and discuss the options available to us.
No Cleartext Credentials / MFA Required
No password? No problem. We already asked the admin nicely for their creds and they didn’t bite, and their password hygiene on the host is solid, but if the device has an identity in Entra ID, we can dump primary refresh token (PRT) cookies from the machine with tools like Lee Chagolla-Christensen’s RequestAADRefreshToken, Dirk-jan Mollema’s ROADToken, Evan McBroom’s LSA Whisperer, Daniel Heinsen’s, SharpGetEntraToken, or aad_prt_bof by wotwot563. These PRT cookies will even have an MFA claim if Windows Hello for Business was used for logon, allowing us to comply with MFA requirements enforced by CAPs or the new default security policy for Azure sign-in.
Stealth
We want to only execute tools that are code-signed and legitimately used in the environment, otherwise keep tool execution within our current process or proxied into the environment from a machine we control that isn’t subject to the organization’s security stack.
We could use our shiny new PRT cookie to interact with Azure using a web browser proxied through the administrator’s workstation, but:
We could use our C2 agent to run command line tools that are likely to be already installed on cloud administrator workstations (e.g., PowerShell’s Invoke-RestMethod, Microsoft.Graph, AzureAD, or Intune modules, curl.exe, etc.) and interact with Azure APIs, but they don’t directly support BYO PRT cookies, they require multiple steps to obtain refresh and access tokens after dumping a PRT cookie (let alone execute actions with those tokens), and they may generate suspicious parent/child process relationships and command line arguments.
We could dump refresh or access tokens from the memory of applications the cloud admin has used to authenticate to Entra ID (e.g., their browser, the ConfigMgr console in co-management setups, etc.) with tools like the office_tokens BOF from TrustedSec, but we need some luck to obtain creds with the correct client ID, scope, and resource for the actions we want to take or that can be swapped for creds that meet these requirements.
Device Compliance / Hybrid-joined Device
An appropriately scoped refresh or access token would enable us to proxy in excellent open-source tools like ROADTools, AADInternals, BARK, AzureHound, TokenTactics/TokenTacticsV2, or GraphRunner, but we still may be blocked by CAPs requiring device compliance or a hybrid-joined device when exchanging refresh tokens for access tokens or by Continuous Access Evaluation when trying to use stolen access tokens. Further, we need a solid understanding of token manipulation, which at least for me was confusing and not easy to learn without a lot of help, trial and error, and training from Dirk-jan Mollema at Outsider Security.
While it’s possible to fake device compliance with AADInternals thanks to Dr. Nestori Syynimaa (@DrAzureAD) and just a few days ago, Dirk-jan Mollema posted a screenshot of a fake device he created that satisfied ten device compliance requirements, these techniques are not guaranteed to work in all organizations. Device compliance may also be determined and reported to Intune by Microsoft Configuration Manager (formerly SCCM) if the device is co-managed, complicating this attack vector further.
It’s also possible to satisfy conditional access policies requiring a hybrid-joined/registered device by joining a rogue/fake device to Entra ID or by overwriting an existing one, but these techniques require credentials to execute and don’t necessarily allow us to enroll the device in Intune to achieve device compliance.
In any case, CAPs may prevent us from proxying in the tools needed to pull off these attacks or from using them off network, and executing PowerShell directly on the admin’s workstation is risky. I’d rather just use the Intune admin’s compliant hybrid-joined device to reach my objectives.
Using the Azure Portal and Other Tools
Let’s say the problems above are all figured out or we luck out and stumble upon an access token with exactly the attributes we need and there are no CAPs preventing us from using it. We still need to figure out how to use the token to make the appropriate calls to the Microsoft Graph API to execute scripts, applications, and queries on Intune-enrolled devices, which is a complicated, multi-step process.
The SolutionThese problems kept resurfacing and none of the available options were ideal for my use case, so I decided to write Maestro to automate them away.
Maestro, an open-source tool sponsored by SpecterOps, was first released at DEF CON 2024 Demo Labs. You can find the code here. If compiling from source, make sure you use the Release build (or the copy on GitHub, if you trust me 😉) so that all of Maestro’s dependencies are merged into the standalone executable with dnMerge by Ceri Coburn (@_ethicalchaos_).
Maestro is essentially a wrapper for local PRT cookie requests and calls to the Microsoft Graph API with a lot of quality-of-life features added for red teamers. It allows you to execute apps, scripts, and device query on Intune-enrolled devices from a C2 agent on an admin’s workstation, no password or proxy required. Data can be optionally stored in a LiteDB database that Maestro will check for valid tokens when subsequent commands are executed.
Maestro takes care of acquiring all the necessary tokens and making the right HTTP requests to execute the action you’re attempting to take in the context of an Intune administrator. Specifically, Maestro mimics the way Edge obtains a nonce from Azure and a signed PRT cookie from the local TPM, then signs in to Intune with the authorization code OAuth flow and obtains an appropriately scoped access token for the requested resource from the mysterious DelegationToken endpoint.
Executing the “Death from Above” Attack PathLet’s walk through how to execute scripts, applications, and device query on Intune devices with Maestro using the Mythic C2 framework by Cody Thomas (@its_a_feature_) and the SpecterOps Apollo Mythic C2 agent for inline assembly execution.
If something goes wrong, keep in mind that you can run any Maestro command with the `-h` flag to display its full usage.
Let’s say our objective is to gain access to a code repository that only Chris Thompson has access to, and we suspect that there is credential material in their home directory, so we’d like to move laterally to their workstation.
Recon / Locating Users
First, we’ll get a list of Intune devices where cthompson is the primary user, including what users were logged on the last time the device checked in. When the -d option is set, Maestro searches the specified database file for a valid access token with the required scope, then refresh tokens, and finally PRTs before getting a nonce from Azure and fetching a PRT cookie signed by the local system’s TPM to authenticate subsequent requests.
.\Maestro.exe -d <name>.db get intune devices -f "userPrincipalName eq '<user>@<tenant>.onmicrosoft.com'" -p usersLoggedOn
Next, Maestro uses the PRT cookie to request a code and id_token from Azure, uses them to obtain a portalAuthorization blob containing a refresh token from the authorize endpoint, and uses the refresh token to obtain an access token for Intune device management from the DelegationToken endpoint.
Then Maestro uses the access token to obtain the list of Intune devices where cthompson is the primary user, including their device IDs and the IDs of users logged on.
If we execute the same command again, Maestro will reuse the access token rather than going through the entire authentication flow again.
Next, we’ll resolve the user ID bfb6a9c2-f3c8–4b9c-9d09–2924d38895f7 from the output of the previous command to a principal name, noting that it was cthompson with domain SID S-1–12–1–3216419266–1268577224–606669213–4153772243 who was logged into the Intune device with ID e537180b-6d04–427e-bf93-dbde818400eb the last time it checked in.
.\Maestro.exe -d Maestro.db get entra users -i <id> --reauth
Device Query
We’ll make sure that the user is still logged in right now using device query, which, similar to SCCM’s CMPivot feature, allows real-time read access to Intune enrolled devices. To do that, we’ll query the Windows Registry HKEY_USERS hive, which indicates that our target user’s domain SID has a session on the device right now.
.\Maestro.exe -d <name>.db exec intune device-query -i <device_id> -q 'WindowsRegistry("""HKU\*"""')
Script Execution
On another device, we’ll use PowerShell to encode a script we’d like to execute on the Intune device. We’ll just write a new file to the C drive for the purpose of this demonstration, but the world is your oyster here.
# Execute a script on the systemFinally, we’ll execute the script on the target device then periodically check whether the script has executed and whether the first line of output is available, which is all that is made available by MS Graph. This can take a REALLY long time, especially after running multiple Intune scripts in a short time, but you can use the -t 0 option if you want to wait as long as it takes to recover the script’s output.
.\Maestro.exe -d <name>.db exec intune script -i <device_id> -s <base64_encoded_script> -n <script_name> -t 0
If you don’t want to hang your C2 agent or if your access token expires before the script output is available, you can request output manually as well.
.\Maestro.exe -d <name>.db get intune script-output -i <script_id> — device <device_id>
Unfortunately, at the time of this writing, there is no FileContent device query action, so we can’t read the full contents of arbitrary files from remote devices with device query yet. You’ll have to get creative with script/application execution to accomplish that.
Application Execution
To execute an arbitrary application on an Intune device, simply point Maestro to the UNC path of the executable and either specify an Intune device ID, Entra device ID, or the ID of an existing Entra group containing the ID of the machine to execute the app on. If a device ID is specified, Maestro will automatically locate the device in both Intune and Entra and add it to a new Entra group before executing the application.
.\Maestro.exe -d <name>.db exec intune app -p <unc_path> -i <device_id>
Maestro will attempt to force the device to sync with Intune to fetch applications pending installation via its persistent notification channel, but this fails pretty often because Microsoft severely throttles the number of sync actions a device can make in a short amount of time. In this case, you can use the exec intune sync command to try again or wait until the device’s next naturally occurring check-in (every eight hours or after rebooting by default).
Maestro does not clean up the new app and Entra group automatically because of this uncertain execution window, but the commands needed to execute cleanup manually are displayed to the user.
Eventually (the only unit of time Intune supports 🥲), you should see the results of your application execution.
Using the DatabaseRight now, the best way to review the contents of the database file is by opening it in LiteDB, where you can review previously queried objects and credentials obtained from Azure.
What’s next for Maestro?Brett Hawkins at IBM X-Force Red recently wrote an excellent, very detailed blog post about detecting Intune lateral movement techniques and provided Sentinel-ready KQL queries that can be used to alert upon suspicious Intune script and application execution. There are lots of events of interest generated from this attack path that the KQL queries can be modified to support.
When creating detections, keep in mind that the attacker can control the information that Maestro and similar tools send to Microsoft Graph in HTTP requests (e.g., User Agent, time between requests, etc.). If possible, baseline your Intune admins’ legitimate activities and alert upon suspicious usage of these features. For example, if Intune apps are deleted very rarely in your organization or are typically created several days before they are assigned, those events might be indicators of compromise.
Have questions or want to collaborate on new functionality or research?Hit me up on Twitter (@_Mayyhem) or in the BloodHound Slack!
Maestro was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Maestro appeared first on Security Boulevard.
With just days to go before the U.S. election, securing our digital landscape is more critical than ever. Our latest infographic, Vote for API Security: Which States Are Leading the Charge?, provides an in-depth analysis of state-by-state API infrastructures, highlighting both strengths and vulnerabilities. Cequence analyzed the public-facing attack surface of each state in the […]
The post Leading the Way in API Security: Which U.S. States Are Setting the Standard? appeared first on Cequence Security.
The post Leading the Way in API Security: Which U.S. States Are Setting the Standard? appeared first on Security Boulevard.
UnitedHealth Group, which is still picking up the pieces after a massive ransomware attack that affected more than 100 million people, hired a new and experienced CISO to replace the previous executive who became a target of lawmakers for having no cybersecurity background.
The post UnitedHealth Hires Longtime Cybersecurity Executive as CISO appeared first on Security Boulevard.
A critical vulnerability (CVE-2024-43573) in Microsoft Windows MSHTML platform allows for spoofing attacks. Affected Platform The vulnerability identified as CVE-2024-43573 affects Microsoft Windows systems, specifically within the MSHTML platform component. MSHTML is the legacy rendering engine within Microsoft Windows that is responsible for handling and displaying HTML content across various Microsoft applications. The flaw in...
The post CVE-2024-43573 – Microsoft Windows Security Vulnerability – October 2024 appeared first on TrueFort.
The post CVE-2024-43573 – Microsoft Windows Security Vulnerability – October 2024 appeared first on Security Boulevard.
What is data discovery and classification? Let's answer that and look at how your organization can improve its data protection program.
The post Why Data Discovery and Classification are Important appeared first on Security Boulevard.
DEF CON 32 - AppSec Village - DEF CON 32 - Fine Grained Authorisation with Relationship Based Access Control
Authors/Presenters:Ben Dechrai
Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely DEF CON 32 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.
The post DEF CON 32 – AppSec Village – Fine Grained Authorisation with Relationship Based Access Contro appeared first on Security Boulevard.
The 14th Annual Cyber Security Summit in Minneapolis proved invaluable, gathering experts from government, law enforcement and various industries to discuss the future of cybersecurity under this year’s theme, All In for Next. Over three days, attendees engaged with thought-provoking presentations and hands-on demonstrations covering the challenges and opportunities facing the cybersecurity landscape. AI in Cybersecurity: Navigating Threats, Opportunities and ... Read More
The post Key Takeaways from the Cyber Security Summit in Minnesota: AI, Data Security and MSSP Differentiation appeared first on Nuspire.
The post Key Takeaways from the Cyber Security Summit in Minnesota: AI, Data Security and MSSP Differentiation appeared first on Security Boulevard.
Highlighting two recent cybersecurity breaches to study lateral movement Lateral movement is significant threat to all organization, from small startups to large multinational corporations. This tactic allows cybercriminals to move through a network after gaining initial access, leading to data breaches and operational disruptions. To close out Cybersecurity Awareness Month, we want to highlight the...
The post Lateral Movement in Recent Cybersecurity Breaches appeared first on TrueFort.
The post Lateral Movement in Recent Cybersecurity Breaches appeared first on Security Boulevard.
via the respected Software Engineering expertise of Mikkel Noe-Nygaard and the lauded Software Engineering / Enterprise Agile Coaching work of Luxshan Ratnaravi at Comic Agilé!
The post Comic Agilé – Mikkel Noe-Nygaard, Luxshan Ratnaravi – #311 – Come to the Office appeared first on Security Boulevard.
Single Sign-On (SSO) and Multi-Factor Authentication (MFA) - two key solutions that can both streamline access to critical systems and data for more geographically dispersed users, while minimizing the risk of unauthorized entry.
The post How SSO and MFA Improves Identity Access Management (IAM) appeared first on Security Boulevard.
Wire transfer fraud occurs when scammers convince a company to send money to a fraudulent account. While weeding out suspicious requests like this may seem rudimentary, it’s not.
The post Shedding AI Light on Bank Wire Transfer Fraud appeared first on Security Boulevard.
The 2024 cyber threat landscape highlights the growing sophistication of bots, with anti-detect browsers and automated attacks enhanced by the emergence of AI tools.
The post Terrifying Trends in the 2024 Cyber Threat Landscape appeared first on Security Boulevard.
With cybersecurity threats continuing to evolve at an accelerated pace, organizations need to ensure that their cyber insurance policies remain active at all times.
The post Safeguarding Cyber Insurance Policies With Security Awareness Training appeared first on Security Boulevard.
Paged at 3 a.m. again … we had another breach to respond to in the security operations center (SOC). While the incident response team was busy delegating roles and responsibilities, I was just starting my investigation into root cause analysis. But something was bugging me: We couldn’t figure out how the intruder had gotten in, and we probably never will. I’m about to show you why.
The post Application Detection and Response (ADR): A Game-changing SOC Analyst Tool | Contrast Security appeared first on Security Boulevard.
The AI revolution in digital identity brings unprecedented security but at what cost? As AI systems become more sophisticated in protecting our digital lives, they require increasingly intimate access to our personal data, creating a critical trade-off between security and privacy.
The post The AI Paradox in Digital Identity: Why More Security Might Mean Less Privacy (And What to Do About It) appeared first on Security Boulevard.
Popular JavaScript library and npm package Lottie Player was compromised in a supply chain attack with threat actors releasing three new versions of the component yesterday, all in a span of a few hours. Understand what this threat means for your business and what you need to do.
The post Lottie Player compromised in supply chain attack — all you need to know appeared first on Security Boulevard.
Automate criminal identity investigations and unmask threat actors with AI-powered link discovery for faster, deeper insights. Constella Intelligence today announced the launch of Hunter Copilot, a transformative new AI assistant feature within its acclaimed deep OSINT investigations platform, Hunter. This innovative tool sets a new standard for efficiency and effectiveness in threat actor attribution. As …
The post Constella Intelligence Launches HunterTM Copilot AI Assistant for Dark Web Investigations appeared first on Security Boulevard.
There have been a wealth of reports lately articulating the poor state of identity risk....
The post A Wave of Identity Security Reports Defines a Big Problem appeared first on Axiad.
The post A Wave of Identity Security Reports Defines a Big Problem appeared first on Security Boulevard.
As organizations increasingly rely on open source software, associated security risks grow, demanding more robust and proactive risk management.
The post The evolution of open source risk: Persistent challenges in software security appeared first on Security Boulevard.
