 Hi, folks, this is the Windows Server Summit. I'm Eric Woodruff, and this session is Mind the Management Plane, attacking Active Directory from the Management Plane. As I mentioned, Eric Woodruff, I'm currently a Product Technical Specialist at Semperus. I'm also a Microsoft MVP in the security category. But we're not here to talk about me today. I have all my social media handles here. This session is pre-recorded, so if you have any questions or comments as you're watching, feel free to drop them in the chat and I'll be available to respond. But afterwards, if you want to reach out for any reason, feel free to connect with me. Eric on Identity, my name's Eric, working Identity, pretty simple to remember that. So for today's agenda, we're going to have set the stage with the background, talk about tier zero a little bit, the enterprise access model, and see how these things relate to these attacks, right? And as far as the attack methods go, we have two that we're going to be exploring today within Azure. And then we're going to talk about how we can design a defense for these things, right? And so in particular, the attacks are really based on how an environment is architected from a privileged perspective, right? And so we have ways to mitigate these things and ensure that an attacker does not use them. So jumping into the background here a little bit, if you've been around Active Directory for a while, you're probably familiar with this diagram here, right? Our three tier model. And usually when we're talking about AD, we're talking about tier zero, right? With our domain admins or domain controllers and hopefully our privilege access workstations. And we always want to stay horizontal within that tier. Now we all probably know or many of us may know who we're familiar with this, that this model has been retired for the enterprise access model. But before we look at the attacks, we'll sort of see how this can translate easily into that, right? When I've talked with a lot of people out there, organizations, enterprises, one of the things that I tend to find is right, it's confusing at times to try to translate this into the new privilege model. But I also want to just point out that the reality of tier zero is more than just our domain admins and DCs and our privilege access workstations these days, right? So we expanded a little bit, right? For a lot of organizations, we have ADFS, right? Active Directory Federation Services and ADCS, Active Directory Certificate Services. And right for many of us that are hybrid identity, right? Azure and 365 customers, we also have Entra Connect or Entra Cloud Sync. And this can extend even beyond the Microsoft ecosystem, right? So say from a cloud perspective, we also had Octin Play, right? The Octa AD agent, right? Anything that acts with privilege. And this extends even a bit further to write our backup systems, right? They may operate with privilege against Active Directory and the backups of Active Directory that are certainly privileged in themselves because they store, you know, sensitive data such as the DIT file for Active Directory and the management plane, right? And that's what we're really here to talk about today is how does the management plane really fit into tier zero and how do we need to account for that? So we're gonna pivot a bit and we're gonna talk about the enterprise access model, right? And so if we look at the enterprise access model and we'll build this out but we'll focus on the data and workload plane, right? And the data and workload plane is our IaaS and our PAS, right? All these things that we're running, we're consuming as services in Azure, right? And we'll sort of tweak this a little bit here so you can see we're focusing on domain controllers being in that data workload plane, right? These are DCs running as IaaS VMs in Azure, right? Pretty straightforward. So we had in the management plane and the control plane, right? And the management plane is, you know, for monitoring and management and security, right? So the management plane is your Azure activity logs. It's also your, you know, Azure RBAC roles, right? And it's also the right place you go to manage things in the data and workload plane, right? With any hypervisor, right? If we sort of simplify this, right? There's the management interface that you browse to to start and stop VMs, to provision VMs all that good stuff, right? So this is portal.azure.com, Azure CLI, PowerShell modules, right? Just going directly, right, to the APIs. And the control plane, right? There's sort of a symbiotic relationship here because the control plane is actually that definition, right? Of privileges within the management plane. And I say it's symbiotic because we have to use the management plane to define what's in the control plane, right? And the control plane is what dictates who can do what in the management plane, right? And just reiterating things here, right? Because we build this out, sort of tweet for active directory and accessing our domain controllers, right? So our users come in, right? With their accounts and their domain joined or hybrid joined devices and all that good stuff, right? Applications, heading active directory with Kerberos or LDAP or whatnot, right? And that's all going through things like an express route or site to site, you know, VPN and where it's localized, right? Within that data workload plane that there are other servers or VDI or whatnot potentially out there. And so we'll add in privileged access, right? As we continue to build this out. And really when we think of privileged access it's sort of just abstracted out of, right? What's defined in the control plane and how those definitions in the control plane, right? Say who can do what in the management plane. And again, so if we sort of tweak this for active directory or our old privilege model that some of us are more familiar with we can just call privileged access effectively tier zero, right? When we're talking about domain controllers running out in Azure. So we're going to look at the attacks a little bit and I think as we look at these it will kind of help build us out a bit further. So let's take a look at these two attack paths that I mentioned. So the first one is going to be for an Azure VM using the run command, right? And here is going to be our path to tier zero. So we have Alex Wilber, right? And Alex works in our operations center and one of the roles that Alex has is, right? To sort of help maintain virtual machines that run in Azure, right? If we need to restart or stop or start VMs and perform other sort of basic maintenance, right? We're going to go through the management plane and this sort of saves, right? Our IT staff, the headache or the hassle of having to go do this work, right? Alex generally works in the Azure portal and we're going to use the portal just sort of for ease here. But this again could be through anything, right? That allows you to interact with Azure and defined here, right? Within our Azure RBAC, our roles is a subscription, right? That is going to have a DC and then Alex has been assigned reader and virtual machine contributor. Let me just break out the pen here, right? And so within virtual machine contributor role there's this Microsoft compute virtual machines run commands and there's a series of, I think it's, you know add, delete, you know, run and I forget the last but essentially there's four commands out there that are defined within that role that allow Alex to do things, right? Against a VM from run command, right? And for our domain controllers where that's going to allow us to actually run a command on that DC and that command is going to run in system context, right? So let's break out of this and hop over to our lab here. So as Alex, we're just going to sign into the Azure portal, right? So as we go through this and we sign in, right? I just want to expand on these agents, right? Again, for those of us that are familiar with virtualization, right? Usually Windows hosts have an agent that run on RVMs, right? That allow it to sort of have a communication with the hypervisor, right? The hypervisor in this area is, right? Azure, but also in this sense the Azure hypervisor allows, right? The management plane to send commands to the agent running on our system, right? And in this case, because it's a domain controller it's a tier zero system. So if we look at our access control before we actually go to run our command, right? We're signed in as Alex. And again, we can just hit view my access, right? And we can see here, we have a few roles to find but the one that we're concerned with right now is virtual machine contributor and it's assigned on the management group layer. So let's scroll down to run command and we're going to choose to execute a PowerShell script. Now you see what I'm about to drop in here is not actually PowerShell, right? But that's sort of beside the point, right? So this script that we're going to run, right? We have a net user here where we're just going to create a new user, right? On the domain controller and because it's a DC it's gonna create the user in Active Directory. And then this other command here where we're just doing a net group domain admins to add Alex has just created user, right? And again, you could start to think of all sorts of ways you could use this in different things, right? We're creating user, you can add an existing user but then you have system context on the DC here. So there's a lot of things that you could potentially do. And right just so that we know it's all not sort of smoke and mirrors here. We'll delete these existing user objects and let's change this and we're going to make this DA Alex three, right? And what I wanted to show you here was that if we go look at domain admins currently and so this desktop that Ron is joined to this domain there's just myself in there as a domain administrator, right? And we're gonna run this command. Now, from an Azure perspective it can take, you know, half a minute, a minute sometimes to return feedback from this but as long as the demo got to working for me here and let's just target DC one, right? We already see here is DA Alex three, right? And if we go to member of we can see that DA Alex three is in domain admins and we'll see if our command finished here. Now it's still running. So I will now just finish, right? So we'll get the command completed successfully, right? As simple as that, right? Alex now as credentials we can go RDP to that domain controller as DA Alex three with Poned one, two, three, four bang right as our password and we're good to go with whatever we want to do next. Right, so we will look at some defense but before that want to just jump into our other attack path here because it's very similar, right? So this time we're looking at Azure Arc and we're going to be using run command again which is slightly different than the run command that we use for virtual machines but you can probably already see where this is sort of going, right? Now again, Arc provides a lot of great things, right? Whether it's multi-cloud with AWS or GCP or other cloud providers or we just have either VMs or even physical servers running on-prem, right? Whatever that on-prem may look like for you, right? It really extends the Azure management plane beyond Azure things, right? And in this case, it extends it beyond Azure VMs and beyond Azure based domain controllers. Right, so very similar path to tier zero, right? So here's Alex Wilbur, right? And we're going to give Alex rights within Arc again, just ready to perform basic tasks against virtual machines that we had or not virtual machines Arc enabled machines, right? Within Azure, this time we're going to use Azure CLI just to sort of switch up, right? Showing how we can attack things but again, on the subscription this time, right? Alex is going to have reader in the hybrid server administrator role and within the hybrid server administrator role, right? There's Microsoft hybrid compute machines and there's commands within here to create, list, run, update and like delete commands which those commands again, we can run against domain controllers and we're going to have that same system level access. So let's break out of this and we are going to log in as Alex. I'm just going to agree with something to pick our subscription that we're using here. Now, one thing I want to point out though, right? Is that you may also think that this is a bit of a post breach attack, right? Because Alex's account, right? Has to have been compromised but I also just want people to sort of keep in mind, right? That there has been a slight uptick right on sort of concern around insider threat scenarios, right? So it doesn't always have to necessarily be that well, something has happened, right? From a compromised perspective to Alex's account. We have our subscription and now we're going to paste this in here and let's just sort of break this down before we run it, right? So against Arc, we're going to run this connected machine run command here and we're going to create this command but when we create it, it actually runs the command itself. Right, again, we see our target here is DC2, right? So DC2 is a domain controller that I have in a Hyper-V lab that is Arc enabled, right? And connected to this tenant in this Azure subscription and then we see our script over here, right? So it's very similar. Here's we're going to add Alex too, right? And then add them to domain admin. So pretty, pretty straightforward here but I'm actually just going to move back here a little bit to make sure as I think I may have another script that already existed here. So let's see what happens. And again, what you're going to find is if you go sort of test this out in your own lab environment is that this will take, you know, we can take a couple of minutes to get a response back but again, as long as demo gods are working okay with us here, let's see, right? We can already see DA Alex too is created and DA Alex too is already a domain admin, right? So I'll let this keep running, right? So we can sort of see the output of it because there is some important aspects that wanna hit on there. But like I said, this is going to take a minute or two to finish running, right? So while that's going on, right? Let's talk about defense, right? And before we look at different ways, right? We can defend against this from an architectural perspective and also from a monitoring perspective, right? I just wanna highlight again, right? That if we look at the shared responsibility model here that when it comes to IaaS and the accounts and identities, right? That we define as roles and rights, right? That it is the responsibility of us, right? The customer of the service to define what those rights are, right? Microsoft provides us the platform, we're the ones who determine who has access to what? And that's why it's important for us to make sure when we're talking about tier zero that we pay extra attention to how we define these things, right? So that is still running here. And so I'm actually gonna hop over to another window I have open where we're gonna just see in log analytics, right? So within our Azure activity logs, we can capture these events, right? And in this instance, I'm typing in the log analytics, which right? We could also then have Sentinel on top of that or this could go to a third party send like splone for Q radar or something else as well, right? The point is here that we are able to capture these runs, right? And we can see again that we can capture Microsoft compute virtual machines run command action, right? Which is running against RVMs. And in this window, we're capturing Microsoft hybrid compute machines run commands, right? And I'll say, right? As we're kind of going through this, if this feels hard to capture, I'm gonna drop some additional links, right? To some articles in Microsoft learn that you can use to sort of, right? Go through this yourself. So don't feel pressed the need to necessarily try to capture this from the screen here. Right, so I'm actually gonna bring up so that I don't reveal, you know, my home IP address here. You know, one of these copies of these commands here, right? So we were actually gonna look at our arc command activity log. And while we can capture a lot of information about, you know, that this command ran and happened, right? And so we can monitor for it. Unfortunately, the actual command itself for both the arc command activity log and for our virtual machine commands, we don't actually capture the command that was run, right? So here we just search for domain admin, right? And I'll look at all current documents and we can find right that there's zero hits there, right? And we had domain admin in, right? Or domain admins, but it would still hit here, right? In our search for what we're looking for. So this is why we need to be sort of mindful, right? That while we're able to monitor for this, we're not actually gonna have all the information about what was actually, you know, run. And it becomes why it's important again to just highlight, right, for Active Directory that we have some system in place where we're also taking our DC, right, event logs, and we're dumping those out again to, you know, log analytics or Sentinel or another SIM or something like that, or we're using MDI or another IPDR, XDR platform, right? Something to monitor some of these privileged activities. In Active Directory, right? And so we can see actually as I was speaking here that right this finished running and we can see the run command time, right? Was very short. It was like, you know, less than a second here, right? And we can see that our command succeeded and in this we're actually able to see, right? The command that was run and there is the ability as I just copy my other command to see all the commands that have been run because these are saved, right, out in arc. So this, let me scroll up here. Actually I'll just run this again, right? Cause I wanted to highlight here that this AZ connected machine run command list is going to show us all those commands that have been run and we can get this as an output. But the problem is that you can also delete these things, right? I know what I'm doing. I'm probably going to clean up my tracks, right? And go run a delete on this. So that way someone can't come in and actually see the commands that were run from the management playing perspective anyways. So one other defense that I just wanted to talk about here from a more technical perspective, right? Is also when we talk about role assignments we have the ability, right, to define custom roles. So for the virtual machine contributor, right? It's on the management group that Alex has assigned access, right? And we can come in and do something like create a custom role, right? And we'll call this, you know, virtual machine, no run commands, and we can clone a role, right? Virtual machine contributor. And we're just going to go to edit the JSON here and we're going to replace no actions. Oh, let me hit it. Grab, earlier also when I said I didn't remember what they were, here's right, read, write, delete, and action, right? So this is against our DC one, the virtual machine and Azure, right? We're going to save this. That space here is annoying me. So delete that, save it, right? Review and create. And now we have this role created. And now we could go assign this role to Alex Wilber. But what I want to highlight is that if we have both role assignments, no actions do not work like a deny as they might in active directory, right? Where if you have multiple permissions colliding and you have a deny that sort of wins, right? Cause it's the most restrictive. I mean, in this case, if we left Alex assigned a virtual machine contributor and also add them to that other role, even having the no action and the other role will not prevent Alex from running commands because the no action is not a deny if there's some other RBAC role that is granting access. And so that brings us actually to talk about Azure RBAC roles here, right? Now, like I mentioned, right? It is our responsibility, but it certainly can feel tough at times to know what roles to assign to everyone right at the time of recording this, right? There's currently 496 roles available within Azure, right? And that can feel like a lot. And then also there's a lot of good guidance, right? Within the cloud adoption framework or CAF in particular Azure landing zones, right? Which really help us define how we should structure Azure. And there's a lot of great diagrams and a lot of great information on Microsoft learn, right? And I'm not expecting you to sort of understand the zoomed out picture because we really want to zoom in and just focus on tier zero here, right? And so if we look at, my computer is just struggling a little bit here. There we go, right? If we zoom in on our Azure landing zone here and talk about our identity subscription, right? Again, we want to make sure that this is effectively a tier zero subscription, right? And everything around it or inside it should be considered tier zero, which then also includes any role assignment, right? Any RBAC roles that we have defined against this identity subscription, right? And with the focus on our domain controllers, right? If we have Entra Connect running out in the cloud we would want that stuff in here too. And I also just want to leave you with, right? Before we kind of wrap things up with some actions, looking at the RBAC hierarchy, right? As I was mentioning that no actions, right? Don't necessarily mean that if other actions are assigned that they'll cancel them out, but we need to be mindful of where we assign permissions to do things with an Azure, right? So on a domain controller, right? We could assign VM contributor, right? Directly on that DC, or we could assign VM contributor, right? On the resource group above it and then those writes would cascade down. So we have one DC here, but if we had 10, right, this VM contributor would have access on all 10 domain controllers for that, right? But again, then we can move one level up and we can talk about, right, subscriptions which hold all our resource groups. And if we assign VM contributor there, you can sort of see where this is going, right? It cascades down. And then we also have our management groups, right? And there's always a root management group where VM contributor could be assigned. Now, along with not being able to deny things, I wanna highlight that. We also don't have the ability to deny lower down. So if we assign VM contributor with run command at the root management group, all the way down to that domain controller that exists in any of these subscriptions, right? And this is the root management group. So there's sort of no way out of it, right? That VM contributor is going to apply. And last thing I just wanna leave you with, right? While there is sort of a barrier between Entra and our Azure subscriptions, that there are multiple ways that a global administrator can move into Azure. Now, for some organizations, they may say, well, no big deal, right? Because my global administrators are also my domain administrators, but in other organizations, then it's not the case and the people that manage Entra and Azure are not the people that manage Active Directory. So I'm gonna leave you with five actions and a bonus here, right? So again, this isn't so much an action necessarily, but just let's focus on tier zero resources, right? A lot of times when we try to architect this sort of stuff, it feels like we're boiling the ocean. But even if we have a lot of domain controllers, right? At principle, it's focusing on where do those DCs live from a subscription perspective, right? And what rights are assigned to them. And that's why we wanna either create or audit our tier zero subscription, right? So if we have one, audit what's in it or not in it. And if we don't create that subscription and then also audit our existing subscription RBAC model, right? So going back to the hierarchy and the rights assigned, making sure we're verifying who has access to what. And if we have a complex environment, it is an area where enter permissions management can also help us understand what rights and permissions we have out there. And lastly, just wanna make sure that we capture our tier zero subscription activity logs in a SIM, right? Cause even if we restrict who has access to what, we wanna make sure that we're auditing, right? This from every angle, right? Because a compromise of Active Directory is almost always a big deal. And I'll leave you with that Mandiant has found and they've written about this, this actually used by threat actors in the wild. So from the virtual machine aspect, this is an all theory. And lastly, just wanna say, right? That we can also take and examine, take what we've talked about here and examine our multi-cloud and on-prem management planes, right? So where we may apply this in Azure, we need to understand if we're running domain controllers in AWS or GCP or on-prem, if there is an agent, right? Can the agent run commands on our domain controller? So I just wanna thank you for your time here today. I hope this session was informative. I had a great time giving it. There is gonna be an evaluation slide and I hope that you fill out that evaluation. And like I said, I'm Eric Woodruff, Eric on identity and hope you have a good rest of the summit.