The ROAD to Azure AD exploration for Red and Blue

While many organizations have a presence in the cloud through Office 365 and Azure, tooling and research into Azure AD privileges and security issues is still limited. In this talk I will present the next step in my mission to change this: a toolkit and framework for analyzing Azure AD environments. The ROADtools framework consists of several components that enumerate and gather all resources in Azure AD, using both documented and undocumented APIs. Most of these are available for any authenticated user. The framework saves the gathered data to an offline database for later use, which is then queried and converted into human readable output. Examples of this are a BloodHound-like graph view of groups, users and permissions and a web-based overview of all users and their properties. Apart from explaining the framework itself the talk will also highlight several Azure AD vulnerabilities that were identified during it’s development.

After my talk at TROOPERS 19 last year where we explored the link between Azure AD and on-premise, this year will focus on assessing Azure AD and Office 365 environments, as well as extracting data from any privileged user from this environment. The latter is especially useful during the recon phase of an engagement, because like in Active Directory any user can query information about Azure AD. The framework and tooling that I’ve developed for this is called ROADtools, which uses documented and undocumented APIs in Azure AD. The reason for a custom framework (rather than using the already available Powershell/.NET modules) is that these often don’t support all API operations or don’t support all forms of authentication. After enumerating and storing all Azure AD objects in a local database, several tools exist to use this information and transform it into human readable reports. Examples are HTML files similar to ldapdomaindump and a Graph view that can map all the users, groups and permissions (similar to BloodHound). The local database is easily accessible, lowering the requirements for custom tools that people may want to develop for custom scenarios.

In the talk I will discuss the design decisions, challenges and results of building this framework as well as showing several examples of the output of the framework and how it can be used by either Blue or Red teams to analyze an environment. I will also show several vulnerabilities that were identified in Azure AD while developing this framework. The ROADtools framework and the accompanying tools will be released as free open source tools after the talk.

About the Speaker