Awesome
BadZure
<div align="center"> <img src="img/BadZure.png" alt="BadZure logo" style="width: 35%; height: 35%;"> </div> <br>BadZure is a Python tool that utilizes Terraform to automate the setup of Azure Active Directory (now Entra ID) tenants, populating them with various entities and introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.
BadZure automates the creation of various entities, including users, groups, application registrations, service principals, and administrative units. To simulate common security misconfigurations in real environments, it randomly assigns Azure AD roles, Graph permissions, and application ownership privileges to selected security principals, enabling the creation of unique attack paths. Adhering to the 'Assume Breach' principle, BadZure offers users two methods of initial access to the vulnerable tenants it creates, thereby simulating account takeover scenarios.
The key advantage of BadZure is its ability to quickly populate and purge Azure AD tenants with randomly generated vulnerable configurations and pre-configured initial access, facilitating continuous and iterative Azure AD adversary simulation and detection development experimentation. It is designed for security practitioners interested in exploring and understanding Azure AD security.
Goals / Use Cases
BadZure was initialy written to host the Azure AD Battle School: Hands-on Attack and Defense workshop at X33fcon 2023.
An Azure AD tenant populated with BadZure also enables red and blue teams to:
- Experiment with common Azure AD attack vectors and tools
- Quickly stand up misconfigured Azure AD lab tenants.
- Obtain attack telemetry to build, test and enhance detection controls
- Execute purple team exercises in a safe setting
- Faciliate hands-on Azure AD security training
- Host dynamic Azure AD Capture the Flag (CTF) events
Attack Paths
Initial Access
BadZure simulates initial access by employing common account takeover techniques, including password attacks and token theft. By providing both passwords and tokens, BadZure enables security practitioners to effectively simulate initial access scenarios and explore various attack vectors against Azure AD tenants.
Password-Based Access
When configured to use passwords, BadZure assigns randomly generated passwords to key user accounts that are part of the attack paths. These passwords are provided to BadZure users to simulate password-based attacks, such as credential stuffing or password spraying. Additionally, BadZure automatically generates a users.txt file containing the usernames of all created accounts, facilitating testing strategies like password spraying.
Token-Based Access
For token-based access, BadZure generates JWT access tokens for specified principals. These tokens are provided in the output, simulating scenarios where an attacker has obtained valid tokens through reverse proxy phishing, endpoint malware or device code phishing. Users can utilize these tokens to authenticate directly against Azure AD resources, gaining an understanding of potential attack vectors involving token theft.
Privilege Escalation
BadZure simulates privilege escalation by introducing misconfigurations within Azure AD roles, Graph API permissions, and application ownerships. These misconfigurations include assigning high-privilege roles to service principals or users, granting extensive Graph API permissions to applications, and configuring users as owners of privileged applications. These settings allow for the configuration of service principal abuse attack scenarios.
A BloodHound-generated graph, showcasing the attack paths BadZure can create, is shown below.
Demo
Quick Start Guide
Requirements
- Azure CLI: Follow the instructions here to install Azure CLI.
- Terraform: Follow the instructions here to install Terraform.
Create an Azure AD Tenant
Creating an Azure subscription will also provide you an Azure AD tenant.
Note: Utilizing BadZure within your Azure subscription won't lead to any additional costs as it only requires an Azure AD Free license.
Clone Repository
git clone https://github.com/mvelazc0/BadZure
cd BadZure
Create virtual environment and install dependencies
# Create a virtual environment
python -m venv venv
# Activate the virtual environment
# On Windows
venv\Scripts\activate
# On Unix or MacOS
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
Login to Azure as a Global Administrator
az login
Create and destroy vulnerable tenants
# Display the help menu
python badzure.py --help
# Populate a tenant and configure all attack paths using the default badzure.yml config file
python badzure.py build
# Populate a tenant and configure all attack paths with a different config file
python badzure.py build --config config.yml
# Show the created resources in Azure AD tenant
python badzure.py show
# Destroy all created identities with verbose logging
python badzure.py destroy --verbose
YAML Configuration File
BadZure leverages a configuration file used to configure the setup of the Azure AD tenant. This file allows users to specify details such as the number of users, groups, applications, administrative units, and attack paths to be created.
Example Configuration
tenant:
tenant_id: "your-tenant-id"
domain: "your-domain.com"
users: 30
groups: 10
applications: 10
administrative_units: 10
attack_paths:
attack_path_1:
enabled: true
initial_access: password
privilege_escalation: ServicePrincipalAbuse
method: AzureADRole
entra_role : random
attack_path_2:
enabled: true
initial_access: token
privilege_escalation: ServicePrincipalAbuse
method: GraphAPIPermission
app_role : random
For more details on the configuration options, please refer to the Wiki
Author
- Mauricio Velazco - @mvelazco
Contributors
References
- Cloud Katana by Roberto Rodriguez
- AADInternals by Nestori Syynimaa
- Azure Attack Paths by Fabian Bader
- ROADtools by Dirkjan Mollema
- PurpleCloud by Jason Ostrom
- Azure AD - Attack and Defense Playbook by Sami Lamppu and Thomas Naunheim
- BloodHound/AzureHound by Andy Robbins
- Blog posts, talks and tools by @Haus3c, @kfosaaen, @inversecos and others.
License
This project is licensed under the Apache 2.0 License - see the LICENSE file for details