CoZure: Context Free Grammar Co-Pilot Tool for Finding New Lateral Movements in Azure Active Directory
Pages 426 - 439
Abstract
Securing cloud environments such as Microsoft Azure cloud is challenging and vulnerabilities due to misconfigurations, especially with user roles assignment, are common. There have been significant efforts to find vulnerabilities that enable lateral movements in Azure AD systems. All of the existing works, however, either follow a manual process to find new vulnerabilities or are only able to discover whether known vulnerabilities exist in a deployed Azure environment. We develop an Azure Active Directory (AAD) lateral movement-discovery tool, CoZure, that can help researchers find new lateral movements in an Azure AD environment. CoZure deploys algorithms from Context-Free Grammar (CFG) to first learn the ways (grammar rules) that security researchers find vulnerabilities and then extend these rules to discover new lateral movement paths. CoZure first collects a large set of existing AAD environment commands using a specialized scraping tool, it then uses CFG to build a knowledge base dataset from these commands and previous attacks. Cozure then applies the knowledge learned to find new combinations of commands that could open up new candidate lateral movements, which are then tested in a real AD environment for validation and manually checked by the user. CoZure helped discover lateral movements that current fuzzing tools (e.g., OneFuzz, RESTler) cannot identify and also shows better performance in finding existing misconfiguration issues in Azure AD. Using CoZure, we have discovered two new (not previously known) lateral movement methods that could lead to numerous new attacking paths in Azure AD.
References
[1]
Aleph. 2018. DOS vulnerability in Azure Active Directory Graph API. https://alephsecurity.com/vulns/aleph-2018003
[2]
Vincenzo Arceri, Martina Olliaro, Agostino Cortesi, and Isabella Mastroeni. 2021. Completeness of string analysis for dynamic languages. Information and Computation 281 (2021), 104791.
[3]
John Aycock and R Nigel Horspool. 2002. Practical earley parsing. Comput. J. 45, 6 (2002), 620–630.
[4]
Afnan Binduf, Hanan Othman Alamoudi, Hanan Balahmar, Shatha Alshamrani, Haifa Al-Omar, and Naya Nagy. 2018. Active Directory and Related Aspects of Security. In 2018 21st Saudi Computer Society National Computer Conference (NCC). NCC, Saudi Arabia, 4474–4479. https://doi.org/10.1109/NCG.2018.8593188
[5]
Microsoft Research Blog. 2020. RESTler finds security and reliability bugs through automated fuzzing. Microsoft. https://www.microsoft.com/en-us/research/blog/restler-finds-security-and-reliability-bugs-through-automated-fuzzing/(Last accessed on: 30/06/2023).
[6]
L Bošnjak, J Sreš, and Bosnjak Brumen. 2018. Brute-force and dictionary attack on hashed real-world passwords. In 2018 41st international convention on information and communication technology, electronics and microelectronics (mipro). IEEE, Opatija, Croatia, 1161–1166.
[7]
J-C Chappelier and Martin Rajman. 1998. A generalized CYK algorithm for parsing stochastic CFG. In Proc. of 1st Workshop on Tabulation in Parsing and Deduction (TAPD’98). INRIA, France, 133–137.
[8]
Mao Chenyu and Guo Fan. 2016. Defending SQL injection attacks based-on intention-oriented detection. In 2016 11th International Conference on Computer Science & Education (ICCSE). IEEE, Xiamen, China, 939–944.
[9]
Abdullahi Chowdhury, Gour Karmakar, Joarder Kamruzzaman, and Tapash Saha. 2018. Detecting intrusion in the traffic signals of an intelligent traffic system. In Information and Communications Security: 20th International Conference, ICICS 2018. Springer, Lille, France, 696–707.
[10]
XM Cyber. 2021. Privilege Escalation and Lateral Movement on Azure – Part 1. XM Cyber. https://www.xmcyber.com/privilege-escalation-and-lateral-movement-on-azure-part-1/(Last accessed on: 30/06/2023).
[11]
Ryan Hausknecht. 2021. Attacking Azure & Azure AD, Part II. Specter Ops. https://posts.specterops.io/attacking-azure-azure-ad-part-ii-5f336f36697d(Last accessed on: 30/06/2023).
[12]
Jane C Hill and Andrew Wayne. 1991. A CYK approach to parsing in parallel: a case study. ACM SIGCSE Bulletin 23, 1 (1991), 240–245.
[13]
John E Hopcroft, Rajeev Motwani, and Jeffrey D Ullman. 2001. Introduction to automata theory, languages, and computation. Acm Sigact News 32, 1 (2001), 60–65.
[14]
Alicex Johndunagan, Zheng, and Simon. 2009. Heat-Ray:Combating Identity Snowball Attacks Using Machinelearning, Combinatorial Optimization and Attack Graphs. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles - SOSP ’09 (2009). ACM Press, Big Sky, Montana, USA, 305. https://doi.org/10.1145/1629575.1629605
[15]
Stuart Kwan. 2021. Introducing Azure AD custom security attributes. Tech Community Microsoft. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-azure-ad-custom-security-attributes/ba-p/2147068(Last accessed on: 30/06/2023).
[16]
m365guy. 2021. Lateral Movement With Managed Identities Of Azure Virtual Machines. m365internals. https://m365internals.com/2021/11/30/lateral-movement-with-managed-identities-of-azure-virtual-machines/(Last accessed on: 30/06/2023).
[17]
Sean Metcalf. 2021. Active Directory Security. Ad Security. https://adsecurity.org/?p=4277(Last accessed on: 30/06/2023).
[18]
Microsoft. 2015. MS15-096: Vulnerability in Active Directory service could allow denial of service: September 8, 2015. https://bit.ly/3e9WDq7
[19]
Microsoft. 2020. Project OneFuzz. Microsoft. https://www.microsoft.com/en-us/research/project/project-onefuzz/(Last accessed on: 30/06/2023).
[20]
Microsoft. 2022. What are managed identities for Azure resources? Microsoft. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview(Last accessed on: 30/06/2023).
[21]
OWASP. 2022. OWASP Top Ten. OASP. https://owasp.org/www-project-top-ten/(Last accessed on: 30/06/2023).
[22]
Una-May O’Reilly, Jamal Toutouh, Marcos Pertierra, Daniel Prado Sanchez, Dennis Garcia, Anthony Erb Luogo, Jonathan Kelly, and Erik Hemberg. 2020. Adversarial genetic programming for cyber security: A rising application domain where GP matters. Genetic Programming and Evolvable Machines 21, 1 (2020), 219–250.
[23]
Jihyeok Park, Yeonhee Ryou, Joonyoung Park, and Sukyoung Ryu. 2017. Analysis of JavaScript web applications using SAFE 2.0. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE, Buenos Aires, Argentina, 59–62.
[24]
Andy Robbins, Rohan Vazarkar, and Will Schroeder. 2020. AzureHound. https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
[25]
Andy Robbins, Rohan Vazarkar, and Will Schroeder. 2022. BARK. BloodHound. https://github.com/BloodHoundAD/BARK
[26]
Andy Robbins, Rohan Vazarkar, and Will Schroeder. 2022. BloodHound. BloodHound. https://github.com/BloodHoundAD/BloodHound
[27]
Hiroyuki Seki, Takashi Matsumura, Mamoru Fujii, and Tadao Kasami. 1991. On multiple context-free grammars. Theoretical Computer Science 88, 2 (1991), 191–229.
[28]
AX Sharma. 2021. New Azure Active Directory password brute-forcing flaw has no fix. ARS Technica. https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/(Last accessed on: 30/06/2023).
[29]
Marius Solbakken. 2021. Quick look at managing Azure AD Custom Security Attributes using Graph. Marius Solbakken Blog. https://goodworkaround.com/2021/12/01/managing-azure-ad-custom-security-attributes-using-graph/#more-59126(Last accessed on: 30/06/2023).
[30]
Colin Tankard. 2012. Taking the management pain out of Active Directory. Network Security 2012, 4 (2012), 8–11. https://doi.org/10.1016/S1353-4858(12)70025-9
[31]
Shannon Williams. 2021. Businesses under threat as attackers target Active Directory. https://itbrief.com.au/story/businesses-under-threat-as-attackers-target-active-directory. Accessed: 30/06/2023.
[32]
XU Zhiwu, Kerong Ren, and Fu Song. 2019. Android malware family classification and characterization using CFG and DFG. In 2019 International Symposium on Theoretical Aspects of Software Engineering (TASE). IEEE, Guilin, China, 49–56.
Index Terms
- CoZure: Context Free Grammar Co-Pilot Tool for Finding New Lateral Movements in Azure Active Directory
Recommendations
Hypothesis Test for Low-rate DDoS Attack Detection in Cloud Computing Environment
AbstractLow-rate Distributed Denial of Service (LDoS) attack is another form of DDoS attack for disrupting the cloud services. It differs from DDoS attack in terms of attack volume. DDoS attacks usually have very high attack volume; however, LDoS have ...
Survey on DDoS Attacks and Defense Mechanisms in Cloud and Fog Computing
This article describes how cloud computing has emerged as a strong competitor against traditional IT platforms by offering low-cost and "pay-as-you-go" computing potential and on-demand provisioning of services. Governments, as well as organizations, ...
Analysis of DDoS Attacks and an Introduction of a Hybrid Statistical Model to Detect DDoS Attacks on Cloud Computing Environment
ITNG '15: Proceedings of the 2015 12th International Conference on Information Technology - New GenerationsCloud service availability has been one of the major concerns of cloud service providers (CSP), while hosting different cloud based information technology services by managing different resources on the internet. The vulnerability of internet, the ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2023
769 pages
ISBN:9798400707650
DOI:10.1145/3607199
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
RAID 2023
RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses
October 16 - 18, 2023
Hong Kong, China
Acceptance Rates
Overall Acceptance Rate 43 of 173 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 119Total Downloads
- Downloads (Last 12 months)87
- Downloads (Last 6 weeks)2
Reflects downloads up to 19 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format