Post compromise recon

Once you landed your self a shell or some credentials you need to ask your self a couple of questions.

  • Who do we have access as ?
  • What roles do we have ?
  • is MFA enabled ?
  • What can we access ?
  • Who are the admins and how are we going to escalate to one ?
  • Are there any security protections in place ?

Onprem infrastructure

Active Directory

BloodHound
PowerView
RSAT

Cloud Infrastucture

AWS

  • Use recon_all module of wierd all to gather a lot of info about our current permissions.
  • Use Pacu’s recon modules.

Tools: WierdAAL, pacu

GCP

You can use ScouteSuite, this is noramlly used to audit differnt security providers. ScouteSuite accepts Goolge JSON tokens to auth as a service account.

Azure

Like onprem AD Azure user (noramlly) have access to a bunch of info. This can be locked down however.
Authenticated user can go the portal.azure.com and click on ‘Azure Active Directory’. The O365 GAL has info like this as wel.

If the portal is locked down PowerShell cmdlets can be used to view the same information. This can be disabled org wide with Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False

Types of CLI access
  • Azure Service Management (ASM) or Azure ‘Classic’
    • legacy, not recommended to use.
  • Azure Resource Manager (ARM)
    • Added service principals, resource groups, etc
    • Management certs are not supported as auth.
  • PowerShell Modules
    • Az, AzureAd & MSOnline
  • Azure Corss-platform CLI Tools (both Linux and Windows client.)
Subscriptions

Orgs can have multiple subscriptions. Good first step is to determine what subscription you are in, the name is usually informative. Such as Prod or Dev. 1 Azure AD (tenant) can have multiple subscriptions. Each subscriptions can have multiple resource groups.

Azure overview 01

built-in subscriptions roles
  • Owner (full control over resource)
  • Contributer (All rights except the abilty to change permissions)
  • Reader (can only read attributes)
  • USer Access Administrator (manage user access to azure resources)

Azure overview 02

Gather Company information
Get-MSolCompanyInformation
Get Current Subscription and Context
Get-AzSubscription
Get-AzContext
Gather user information

Get the users role assignment

Get-AzRoleAssignment

Remember, id the Azure AD portal is locked down users maybe still be able to access information using MSOnline cmdlets.

Get-MSolUser -All
Get-MSolGroup -All
Get-MSolGroupMember -GroupObjectID <GUID>
Gather resource Group information
  • Resource Groups collect various services for easier management.
  • Recon can help identify the relationships between services such as WebApps and SQL.
Get-AzResource
Get-AzResourceGroup
Azure Runbooks
  • Azure runbooks automate verious tasks in Azure.
  • Require an Automation Account and can contain sensitive information like passwords

Get info/runbooks

Get-AzAutomationAccount
Get-AzAutomationRunbook -AutomationAccountName <AccountName> -ResourceGroupName <ResourceGroupName>

Export runbooks

Export-AzAutomationRunbook -AutomationAccountName <AccountName> -ResourceGroupName <ResourceGroupName> -Name <RunbookName> -Outputfolder <OutputFolder>

Tools: