Blog Post

Microsoft Defender for Cloud Blog
4 MIN READ

Automation to block compromised identity detected by Microsoft Defender for Resource Manager

giulioastori's avatar
giulioastori
Icon for Microsoft rankMicrosoft
Mar 28, 2022

In the current Cloud Computing era, identity has become the new security perimeter, and adversaries have managed several new tactics and techniques to exploit user identities and eventually compromise them. Once an account is compromised either by its credential password or by its authentication token, it can be used for many malicious additional activities that will allow the intruder to escalate the privileges, moving laterally, etc.

Open-source tools such as MicroBurst or PowerZure, developed for research objectives, are also used maliciously simply by weaponize them. These tools allow a malicious actor to assess and exploit resources within Microsoft cloud platforms by leveraging a compromised Azure Active Directory account and/or its token.

Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides the management layer that enables you to create, update, and delete resources in your Azure account. It can be leveraged either via Azure Portal, via Rest API or using PowerShell, Azure CLI and SDKs. Read more about Azure Resource Manager here.

This management layer is crucial; therefore, it is important to protect it. Microsoft Defender for Resource Manager protects against potential attacks including the use of exploitation tools like MicroBurst or PowerZure which will leverage compromised account and their tokens to authenticate and exploit the environment for privilege escalation, lateral movement, persistence, and more. Read more about the Microsoft Defender for Resource Manager here.

The authentication bearer token is an access token that contains claims that you can use in Azure Active Directory to identify the granted permissions to your API. Once an attack is detected by Defender for Resource Manager, if an Azure Active Directory (Azure AD) Account has been utilized, you will need to act promptly and mitigate the compromised account. Of course, you can do it manually, but automated response will ensure that the proper mitigation is indeed applied. Here you can find the documentation on how to obtain the Azure AD tokens.

If an account is compromised you would disable the account temporarily, revoke all the associated authentication token, and reset the password. To automate this process, you can use the Azure Logic App we have developed to disable the account, revoke all the active tokens and notify the account’s manager if it exists or simply to a designated email address.

You can deploy the Azure Logic App in your Subscription and use it with the Defender for Cloud Workflow Automation configured for Alerts generated from the Defender for Resource Manager.

The following is the diagram of the Logic App automation flow:

 

 

The first step is a trigger that connects to Microsoft Defender for Cloud and retrieves the Alert and all its related objects and metadata.

If an Account is attached to the Alert as Related Entities, then the user is immediately disabled and all its tokens are revoked, therefore the account cannot be used further during the attack, even if a token has been used instead if its credential username and password.

Once the account is disabled, a notification email is draft and sent to the account’s manager if exists. In the case the account has no manager registered under its properties, then the notification is sent to an alternative email address configured at the beginning of the Logic App deployment. This account could be changed afterward by editing the Logic App.

Here is a snapshot of the notification email:

 

 

To import and deploy the Logic App you can use the link for the GitHub repo at the end of this blog.

The Logic App creates and uses a Managed System Identity (MSI) to authenticate and authorize against management.azure.com (or management.usgovcloudapi.net if in Azure Gov) to obtain PrincipalIDs assigned to the Azure Resource. The MSI is also used to authenticate and authorize against graph.windows.net to obtain RBAC Objects by PrincipalIDs.

 

Once deployed you will need to apply the following additional configuration manually:

 

 

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "Directory.Read.All"
$PermissionName4 = "Directory.ReadWrite.All"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id

$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id

$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id

2. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections<br><br>

 

 

  • Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections.

 

To use the Logic App with the Defender for Cloud Workflow Automation follow the documentation here

 

This logic app as well as many other can be found here:

Direct Link to GitHub sample

Microsoft Defender for Cloud GitHub Repo 

 

When an account is compromised time is the essence. You must act quick to remediate the breach. This automated workflow allows to act almost immediately, secure the account, and stop the attack.

 

Special thanks to:

  • Safeena Begum Lepakshi (Senior Program Manager, Microsoft Defender for Cloud) for helping with the Logic App and by reviewing this post
  • Tal Rosler (Senior Program Manager, Microsoft Defender for Cloud) for envisioning the automation

 

 

 

 

Updated Mar 28, 2022
Version 1.0
No CommentsBe the first to comment