Managed Identity in Azure is not new. Everyone loves it. People use it more often these days. Managed Identity would reduce the overhead of managing secrets or kind of certificate. However, the Managed Identity feature also introduces a new risk if misused. This article is not going to introduce Azure Managed Identity again. Instead, it will provide a PowerShell script to help you quickly audit your VM(s) and VM Scale set(s) in your Azure environment to check if they have managed identities attached and their respective role assignments. Use Case As a SecOps analyst, your job is to assess to e ..read more

Last weekend I made a small PoC to use Nmap to scan an Azure VM. I then came up with an idea to write a script to get scan all live hosts in the same subnet from the given VM. This article is just to share with you the script I wrote. Below is the script: #!/bin/bash # This script is used with nmap (https://nmap.org/) to discover live host in the same subnet. # Use this script for testing purpose only. # You need Reader role to get VM's and network info before scanning with Nmap. target_vm_resource_id="$1" echo "[+] Target resource id: ${target_vm_resource_id}" # Get network interface card ..read more

I got a question from a friend last week if he should enable System-Assigned Managed Identity (SAMI) on an Azure App Service running on a Linux host. He also asked if his developer team could use that SAMI to do any evil actions in his cloud environment. Hopefully, this article would clarify a few things and then share a bash script to acquire the access token of Azure App Service’s SAMI. We all know that with an access token of a managed identity, a bad actor can sign in Azure AD and start doing something in your environment. Depending on the role assignment, the access scope may vary. You ma ..read more

Have you seen this research NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories from Wiz? So basically from their research, if you Azure App Service uses Local Git your source code may have been compromised. As a SecOps analyst, you are responsible for auditing your Azure cloud environment to check if any App service is using Local Git. This article provides you a script and Azure Policy template to help you audit. The audit script is uploaded here. Provide name of the report file and its location to store. The script exports a CSV report to a given location ..read more

There are ways to exclude your resources from being evaluated by Azure Policy. You can add a condition in a policy rule set. You can also use exclusion from notScopes. In this article, let’s explore another feature in Azure Policy exemption. We will then see how to deploy it as code. Feature Overview Azure Policy Exemption is a feature that allows you to exempt a resource from an Azure Policy evaluation. That resource is still counted toward overall compliance but isn’t evaluated. Azure Policy Exemption has several differences when compared with exclusion (notScopes) It supports expiration. W ..read more

I was asked from people if Microsoft Defender for Cloud had any information related to the CVE-2021-44228 (Log4Shell) vulnerability which is currently the hottest vulnerability right now. In this article, I would like to share a Resource Graph Query to find virtual machines that are vulnerable against Log4Shell vulnerability. Currently there are several vulnerability solutions that are supported to send data to Microsoft Defender for Cloud. Some common ones include Qualys (built-in vulnerability assessment) and Rapid 7. Log Analytics Agent would also report missing security patches on virtual ..read more

Log4Shell is an emerging threat and its exploit is still in the wild. As a SecOps analyst your job is to monitor your cloud assets ensure if there is any communication to known IoC you would have a proper action. In this article, I’d like to share a simple script to help bulk upload known Log4Shell IoC to Microsoft Sentinel Threat Intelligence (TI) so you can monitor them. Read the following article to learn more about the Microsoft Sentinel TI API: Azure Sentinel Threat Intelligence API Download New-AzThreatIntelligenceIndicator.ps1 and run the following script: $WorkspaceRg = "azsec-corp ..read more

Last week a friend asked me if creating or updating a virtual machine where a public IP address was associated with was detectable. This is a very common requirement in cloud security monitoring. Having a workload (aka virtual machine) with Internet exposure is never recommended. Otherwise, that virtual machine plays a security perimeter role. In this article, let’s see how we can trigger an alert when someone creates or updates a virtual machine that has a public IP address. Use Case A virtual machine with Internet exposure is always put at risk. Bad actors can try different vulnerabilities w ..read more

Network Security Group (NSG) is one of the most common features in Azure to help strengthen your network defense. It allows you to filter network traffic to and from Azure resources. Having NSG in place doesn’t always mean your network is secure. A misconfiguration such as having an inbound rule to allow All would be like an open door to adversaries. In this article, I would like to share a detection and monitoring use case to help detect if someone created or updated an NSG inbound rule to allow everything. Use Case An adversary can do as many things as he can to weaken your network defense ..read more

I was asked from people if Microsoft Defender for Cloud had any information related to the CVE-2021-44228 (Log4Shell) vulnerability which is currently the hottest vulnerability right now. In this article, I would like to share a Resource Graph Query to find virtual machines that are vulnerable against Log4Shell vulnerability. Currently there are several vulnerability solutions that are supported to send data to Microsoft Defender for Cloud. Some common ones include Qualys (built-in vulnerability assessment) and Rapid 7. Log Analytics Agent would also report missing security patches on virtual ..read more