BadZure - Automating Vulnerable Azure AD Environments for Security Testing

BadZure - Automating Vulnerable Azure AD Environments for Security Testing

BadZure is a Python-based tool designed to automate the setup of Azure Active Directory (now Microsoft Entra ID) tenants using Terraform.

It generates various entities and introduces common security misconfigurations, enabling the creation of vulnerable environments with multiple attack paths. This guide provides an overview of BadZure's capabilities, use cases, and how to get started.

Key Features of BadZure

  • Entity Creation: Automates the generation of users, groups, application registrations, service principals, and administrative units.

  • Security Misconfigurations: Randomly assigns Azure AD roles, Graph permissions, and application ownership privileges to simulate real-world vulnerabilities.

  • Attack Path Simulation: Creates unique attack paths by introducing misconfigurations that enable privilege escalation and account takeovers.

  • Initial Access Simulation: Supports password-based and token-based access scenarios to replicate account takeover techniques.

  • Quick Deployment and Cleanup: Facilitates rapid population and purging of Azure AD tenants for iterative testing.

Goals and Use Cases

BadZure was initially developed for the Azure AD Battle School: Hands-on Attack and Defense workshop at X33fcon 2023. Its primary use cases include:

  • Testing common Azure AD attack vectors.

  • Rapidly setting up misconfigured Azure AD lab environments.

  • Generating telemetry for detection control development.

  • Conducting purple team exercises in a controlled setting.

  • Providing hands-on training for Azure AD security.

  • Hosting dynamic Capture the Flag (CTF) events.

Attack Paths Simulated by BadZure

Initial Access

BadZure simulates initial access through two main methods:

  1. Password-Based Access:

    • Assigns randomly generated passwords to key accounts.

    • Generates a users.txt file for testing attacks like password spraying or credential stuffing.

  2. Token-Based Access:

    • Produces JWT access tokens for specific principals.

    • Simulates scenarios such as token theft via phishing or malware.

Privilege Escalation

BadZure introduces misconfigurations that allow privilege escalation:

  • Assigns high-privilege roles to users or service principals.

  • Grants excessive Graph API permissions to applications.

  • Configures users as owners of privileged applications.

These configurations enable scenarios such as service principal abuse and Graph API exploitation.

Getting Started with BadZure

Requirements

  1. Azure CLI: Install from the official Microsoft website.

  2. Terraform: Follow Terraform installation instructions.

  3. Azure AD Tenant: Create one by setting up an Azure subscription (no additional costs with the free Azure AD license).

Installation Steps

1.Clone the repository:

git clone https://github.com/mvelazc0/BadZure

cd BadZure

2.Create a virtual environment and install dependencies:

python -m venv venv

source venv/bin/activate  # For Unix/MacOS

venv\Scripts\activate     # For Windows

pip install -r requirements.txt

3.Log in to Azure as a Global Administrator:

az login

Commands

  • Display help menu:

python badzure.py --help

  • Populate a tenant using the default configuration:

python badzure.py build

  • Populate a tenant with a custom configuration file:

python badzure.py build --config config.yml

  • View created resources:

python badzure.py show

  • Destroy all created identities:

python badzure.py destroy --verbose

Configuration File (YAML)

BadZure uses a YAML configuration file to define tenant setup details, including the number of users, groups, applications, administrative units, and attack paths.

Example Configuration

tenant:

  tenant_id: "your-tenant-id"

  domain: "your-domain.com"

  users: 30

  groups: 10

  applications: 10

  administrative_units: 10


attack_paths:

  attack_path_1:

    enabled: true

    initial_access: password 

    privilege_escalation: ServicePrincipalAbuse

    method: AzureADRole

    entra_role : random


  attack_path_2:

    enabled: true

    initial_access: token

    privilege_escalation: ServicePrincipalAbuse

    method: GraphAPIPermission

    app_role : random 

For more details on configuration options, refer to the project's documentation.

Benefits for Security Practitioners

BadZure is an invaluable tool for security teams aiming to improve their understanding of Azure AD vulnerabilities. It allows red teams to experiment with attack vectors while enabling blue teams to enhance detection capabilities through telemetry analysis.

By simulating real-world scenarios in a controlled environment, BadZure supports continuous improvement in both offensive and defensive strategies. You can learn more and Download BadZure in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog