Extract plain-text password from Azure VM Reset Password feature

Reset password is a common feature that allows you to create or reset a local administrator account on Azure VM. This feature is helpful when you forgot the account used to log into your VM. There would be a question from an InfoSec guy – can such a password be viewable in the format of plain text? In another word, is it possible technically to gain that password?

In this article, I would like to provide a demonstration of how to extract the password that you use from the Reset Password feature.

Continue reading

Posted in Security Operation | Tagged | Leave a comment

Script to audit managed identities on VM and their role assignment

Managed Identity in Azure is not new. Everyone loves it. People use it more often these days. Managed Identity would reduce the overhead of managing secrets or kind of certificate. However, the Managed Identity feature also introduces a new risk if misused.

This article is not going to introduce Azure Managed Identity again. Instead, it will provide a PowerShell script to help you quickly audit your VM(s) and VM Scale set(s) in your Azure environment to check if they have managed identities attached and their respective role assignments.

Continue reading

Posted in Identity & Access Control, Security Automation | Tagged , | 1 Comment

Scan Azure VMs in the same subnet with Nmap

Last weekend I made a small PoC to use Nmap to scan an Azure VM. I then came up with an idea to write a script to get scan all live hosts in the same subnet from the given VM.

This article is just to share with you the script I wrote.

Continue reading

Posted in Network Security, Security Automation | Tagged | 2 Comments

Acquire Access Token from Azure App Service (Linux) System-Assigned Managed Identity

I got a question from a friend last week if he should enable System-Assigned Managed Identity (SAMI) on an Azure App Service running on a Linux host. He also asked if his developer team could use that SAMI to do any evil actions in his cloud environment.

Hopefully, this article would clarify a few things and then share a bash script to acquire the access token of Azure App Service’s SAMI.

Continue reading

Posted in Security Operation | Tagged | Leave a comment

Audit Azure Web App against NotLegit vulnerability

Have you seen this research NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories from Wiz? So basically from their research, if you Azure App Service uses Local Git your source code may have been compromised.

As a SecOps analyst, you are responsible for auditing your Azure cloud environment to check if any App service is using Local Git. This article provides you a script and Azure Policy template to help you audit.

Continue reading

Posted in Governance & Compliance | Tagged , | 3 Comments

Notes on Azure Policy Exemption

There are ways to exclude your resources from being evaluated by Azure Policy. You can add a condition in a policy rule set. You can also use exclusion from notScopes.

In this article, let’s explore another feature in Azure Policy exemption. We will then see how to deploy it as code.

Continue reading

Posted in Governance & Compliance | Tagged , | Leave a comment

Bulk upload Log4Shell IoC to Microsoft Sentinel Threat Intelligence

Log4Shell is an emerging threat and its exploit is still in the wild. As a SecOps analyst your job is to monitor your cloud assets ensure if there is any communication to known IoC you would have a proper action.

In this article, I’d like to share a simple script to help bulk upload known Log4Shell IoC to Microsoft Sentinel Threat Intelligence (TI) so you can monitor them.

Continue reading

Posted in Monitoring & Detection, Security Automation | Tagged , | 1 Comment

Detect Azure VM with a Public IP associated

Last week a friend asked me if creating or updating a virtual machine where a public IP address was associated with was detectable. This is a very common requirement in cloud security monitoring. Having a workload (aka virtual machine) with Internet exposure is never recommended. Otherwise, that virtual machine plays a security perimeter role.

In this article, let’s see how we can trigger an alert when someone creates or updates a virtual machine that has a public IP address.

Continue reading

Posted in Monitoring & Detection, Security Automation | Tagged , | Leave a comment

Detect NSG inbound rule updated to allow All

Network Security Group (NSG) is one of the most common features in Azure to help strengthen your network defense. It allows you to filter network traffic to and from Azure resources. Having NSG in place doesn’t always mean your network is secure. A misconfiguration such as having an inbound rule to allow All would be like an open door to adversaries.

In this article, I would like to share a detection and monitoring use case to help detect if someone created or updated an NSG inbound rule to allow everything.

Continue reading

Posted in Monitoring & Detection, Security Automation | Tagged , | Leave a comment

Query vulnerable VMs against Log4Shell vulnerability in Azure

I was asked from people if Microsoft Defender for Cloud had any information related to the CVE-2021-44228 (Log4Shell) vulnerability which is currently the hottest vulnerability right now.

In this article, I would like to share a Resource Graph Query to find virtual machines that are vulnerable against Log4Shell vulnerability.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment