Chain Reaction: Uncovering Supply Chain Threats via Azure Application Registrations

cropped-avatar-fallback.jpg

Introduction to Azure Application Registration and Service Principals

Microsoft Entra ID (formerly Azure Active Directory) provides the capability for applications to interact with Azure resources through Application Registrations and Service Principals (SPs). An Application Registration acts as a global template defining the application across directories, specifying the APIs it will access. The Service Principal is an instance of this template, used within a specific Azure AD tenant, granting the application the necessary permissions to operate within that tenant's resources.

Differences Between Internally and Externally Managed Service Principals

When managing Azure Service Principals (SPs), it's essential to distinguish between those created and managed internally versus those managed by external parties:

1. Creation and Management

  • Internally Managed Service Principals are internally created and managed, typically by an organization's IT team, ensuring alignment with internal security and operational policies.

  • Externally Managed Service Principals are generated when an application from outside the organization is granted access, potentially bypassing direct IT oversight.

2. Authentication Control

  • Internally Managed Service Principals have credentials (passwords or certificates) controlled and secured by the organization, with strict practices for credential rotation and management.

  • Externally Managed Service Principals have their credentials managed by the external application's owner, which might not adhere to the organization's stringent security standards.

3. Visibility and Monitoring

  • Internally Managed Service Principals appear in Azure AD under App Registrations and are well-documented within the organization’s asset management tools.

  • Externally Managed Service Principals may only be detected under Enterprise Applications in Azure AD, which can lead to gaps in routine security monitoring.

4. Permissions and Security Risk

  • Internally Managed Service Principals are governed by the principle of least privilege, with permissions regularly reviewed and adjusted.

  • Externally Managed Service Principals might be granted broader permissions, especially if consent is obtained through deceptive means, thus increasing security risks.

Typical Creation and Usage

To interact with Azure resources, an application must authenticate via Azure AD. This process involves:

  1. Registering the application in Azure Entra ID to obtain an Application ID.

  2. Creating a Service Principal, which serves as the application's identity.

  3. Assigning roles and permissions to the Service Principal to control the level of access to Azure resources.

This flow is typically secure under normal circumstances. However, it can be exploited by attackers to implement supply chain attacks.

Attacker Methodology: Creating and Exploiting Service Principals

An attacker can register a malicious application in their tenant and then exploit Azure features to interact with a victim’s resources. Here's how the methodology unfolds, with examples using Azure CLI:

Application Registration by Attacker:

The attacker creates an application in their Azure AD tenant.

az ad app create --display-name "MaliciousApp" --reply-urls "http[:]//maliciousapp[.]com"

Service Principal Creation in Victim’s Tenant:

The attacker directly creates a Service Principal for the registered application in the victim’s tenant, avoiding the need for admin consent but needing access to create SPs.

az ad sp create --id <AppId>

az role assignment create --assignee <AppId> --role Contributor --scope /subscriptions/<SubscriptionId>

Permissions and Authentication Abuse:

With the Service Principal now having "Contributor" access, the attacker uses this SP to access and list all secrets from a Key Vault in the victim's subscription.

az login --service-principal -u <AppId> -p <Password> --tenant <VictimTenantId>

az keyvault secret list --vault-name <VaultName>

az keyvault secret show --name <SecretName> --vault-name <VaultName>

Attack Tactics, Techniques, and Procedures (TTPs) and MITRE ATT&CK Mapping

  • Initial Access (T1199): Spear-phishing to gain initial consent.

  • Persistence (T1136): Creating Service Principals ensures continued access.

  • Privilege Escalation (T1068): Expanding permissions of the application/Service Principal.

  • Defense Evasion (T1078): Using legitimate integrated Azure services to remain undetected.

Investigating and Uncovering Externally Managed Applications

To uncover applications that may have been managed externally, you can use the Azure CLI to list applications that do not match the typical organizational management criteria. Here’s a command that helps identify such applications by excluding those associated with your organization’s tenant ID:

az ad app list --all --query "[?appOwnerOrganizationId != '<victimTenantID>'].{AppId: appId, DisplayName: displayName, Publisher: publisherName}" -o table

This command filters out applications that are managed under the tenant ID you specify (replace <victimTenantID> with your actual Azure tenant ID), helping to highlight applications that might have been registered or managed externally.

Steps for Investigating Externally Managed Applications

Once potentially externally managed applications are identified, SOC analysts should undertake a thorough investigation to understand the scope and impact of these applications. Here are the steps that should be followed:

  • Review Application Permissions: Examine the permissions granted to each suspicious application. High-level or broad permissions, especially those impacting critical resources, can indicate potential misuse or malicious intent.

  • Audit Activity Logs: Check the Azure activity logs for actions performed by these applications. This includes data access, modifications, and any administrative actions that could affect security or operations.

  • Analyze Authentication Patterns: Review the sign-in logs associated with the applications to detect any unusual access patterns or authenticate requests from suspicious locations or IPs.

  • Cross-Reference with Incident Reports: Align your findings with any recent security incidents or threats. This might reveal correlations between the external application activities and security breaches or data exposures.

Challenges in Investigation

  • Complexity and Time-Consumption: Unraveling the actions of externally managed applications is often complex and time-consuming, due to the depth of investigation required to thoroughly understand their impact.

  • Data Overload: Analysts may face a vast amount of data to sift through, especially if the applications have been operational for an extended period or have interacted with numerous resources.

  • Skill Requirements: Proficiency in Azure management and security is crucial, as understanding the implications of specific permissions and logs requires specialized knowledge.

To Bring It All Together

Azure Service Principals and Application Registrations are powerful tools for enabling applications to interact securely with Azure resources. However, they can also be exploited to facilitate supply chain attacks, presenting significant security risks.

Understanding these mechanisms, the potential for misuse, and the effective strategies for monitoring, investigating, and mitigation are essential for safeguarding Azure environments against sophisticated attacks.

Cyngular Security's CIRA Platform

To further secure your cloud environment, consider integrating Cyngular Security's CIRA platform. It enhances your security posture by providing advanced investigation and response capabilities, enabling your team to address threats swiftly and effectively. By adopting Cyngular Security's CIRA, you empower your organization with proactive and automated security measures that protect your cloud assets.

Get a Free Breach Assessment

Protect your cybersecurity infrastructure with a complimentary breach assessment from Cyngular:

  • Safe and Non-disruptive: Conducted with read-only access to ensure no operational disruption.

  • Easy Setup: Integrates seamlessly with your existing SIEM systems.

  • Deep Insights: Empowers your cybersecurity strategy with advanced threat-hunting and proactive investigation capabilities.

Request your free Proof-of-Value today and lead the way in cybersecurity innovation with Cyngular.

Recent