Professional Documents
Culture Documents
Microsoft Azure Commercial Penetration Test Report 20190613
Microsoft Azure Commercial Penetration Test Report 20190613
Prepared By:
Kratos SecureInfo
14130 Sullyfield Circle, Suite H
Chantilly, VA 20151
888.677.9351
Executive Summary
Background
Microsoft retained Kratos SecureInfo to perform a FedRAMP (Federal Risk and Authorization
Management Program) penetration test of Azure Commercial. The Azure Commercial penetration test
is a representation of the security posture as of the end date of penetration testing, prior to any
mitigation. This report provides the results of the activities performed and serves as a permanent record
of the penetration testing activities. The effort was performed offsite remotely from the Kratos
SecureInfo lab in Alexandria, Virginia between 1/21/2019 and 5/10/2019. The testing included
automated and manual activities using the penetration testing guidance found in the “FedRAMP
Penetration Test Guidance, version 2.0” document.
Findings
There were zero (0) high, one (1) moderate, six (6) low and six (6) false positive findings identified
during the penetration test. The findings by impact level chart summarize the findings by impact level.
Detailed information about the findings is in “Appendix A – Findings”.
3 6 6
1
1
0 0
HIGH MODERATE LOW FALSE POSITIVE
Table of Contents
Executive Summary............................................................................................................................1
Background ............................................................................................................................................... 1
Findings ..................................................................................................................................................... 1
Document Revision History ................................................................................................................2
Table of Contents ...............................................................................................................................3
Table of Figures .................................................................................................................................5
Table of Tables...................................................................................................................................6
1. Overview .......................................................................................................................................7
1.1. Timeline.............................................................................................................................................. 9
1.2. Scope .................................................................................................................................................. 9
1.3. Attack Vectors .................................................................................................................................... 9
2. Web Application .......................................................................................................................... 12
2.1. Web Application Overview .............................................................................................................. 12
2.2. Web Application Testing: Microsoft Azure Commercial Suite ......................................................... 12
2.2.1. Web Application Azure Commercial Discovery ........................................................................ 15
2.2.1.1. Publically Available Information ........................................................................................ 15
2.2.1.2. Application Architecture .................................................................................................... 15
2.2.1.3. Accounts, Roles, and Authorization Bounds ...................................................................... 15
2.2.1.4. Content and Functionality ................................................................................................. 16
2.2.1.5. User-Controlled Inputs....................................................................................................... 17
2.2.1.6. Server Configuration Checks .............................................................................................. 17
2.2.2. Web Application Azure Commercial Exploitation ..................................................................... 19
2.2.2.1. Un-credentialed exploitation of Azure Commercial .......................................................... 19
2.2.2.2. Authentication and Session Management......................................................................... 19
2.2.2.3. Authorization ..................................................................................................................... 27
2.2.2.4. Tenant to Tenant ............................................................................................................... 27
2.2.2.5. Application Logic ................................................................................................................ 27
2.2.2.6. Input Validation ................................................................................................................. 27
2.2.3. Web Application Azure Commercial Post-Exploitation ............................................................ 27
3. Mobile Application ....................................................................................................................... 28
3.1. Mobile Application Overview........................................................................................................... 28
4. Network....................................................................................................................................... 29
4.1. Network Overview ........................................................................................................................... 29
4.2. Network Discovery ........................................................................................................................... 29
4.2.1. Publically Available Information ............................................................................................... 29
4.2.2. Endpoint Enumeration .............................................................................................................. 30
4.2.3. Service Enumeration ................................................................................................................. 30
4.2.4. Operating System Fingerprinting .............................................................................................. 31
Table of Figures
Figure 1-1: Architecture Diagram ................................................................................................................. 8
Figure 2-1: Before Azure Web App Login Screen ........................................................................................ 19
Figure 2-2: Azure Web App Login Screen.................................................................................................... 20
Figure 2-3: Request for two-factor authentication..................................................................................... 20
Figure 2-4: Session Token Set ..................................................................................................................... 21
Figure 2-5: Session Cookie Set Correctly..................................................................................................... 22
Figure 2-6: Identifying WS-Federation Module .......................................................................................... 23
Figure 2-7: Request showing setting of arbitrary origin ............................................................................. 24
Figure 2-8: Response showing origin set .................................................................................................... 25
Figure 2-9: Browser setting origin in request headers and shown in response headers ........................... 26
Figure 2-10: Authorization Matrix .............................................................................................................. 27
Figure 4-1: Network Frequency Analysis .................................................................................................... 32
Figure 4-2: Host Discovery .......................................................................................................................... 32
Figure 4-3: Service Ping Discovery .............................................................................................................. 33
Figure 4-4: Directory listing......................................................................................................................... 33
Figure 4-5: Core Smoke test ........................................................................................................................ 34
Figure 4-6: Runtime Error ........................................................................................................................... 34
Figure 5-1: Spear Phishing Click through Chart........................................................................................... 37
Table of Tables
Table 1-1: FedRAMP Attack Vector Matrix ................................................................................................. 10
Table 2-1: Microsoft Azure OSINT............................................................................................................... 15
Table 2-2: Azure Commercial Architecture ................................................................................................. 15
Table 2-3: Azure Commercial Account Roles .............................................................................................. 16
Table 2-4: Configuration Vulnerabilities ..................................................................................................... 18
Table 4-1: Network OSINT........................................................................................................................... 30
Table 4-2: Externally Accessible Hosts ........................................................................................................ 30
Table 4-3: CSP External Services ................................................................................................................. 30
Table 4-4: Externally Identifiable Operating Systems ................................................................................. 31
Table 4-5: External Vulnerability Identification Data.................................................................................. 31
Table 5-1: OSINT ......................................................................................................................................... 35
Table 5-2: Employee Social Network Profiles Related to CSP ..................................................................... 36
Table 5-3: Public information...................................................................................................................... 36
Table 6-1: Potential Simulated Attack Vectors ........................................................................................... 38
Table 6-2: Internal Network Scan Results ................................................................................................... 39
Table 7-1: Physical Penetration Test Location Information ........................................................................ 43
1. Overview
Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that
provides a standardized approach to security assessment, authorization, and continuous monitoring for
Cloud Service Providers (CSP). Testing FedRAMP mandated security controls, specifically through
penetration tests, is an integral part of the FedRAMP process. Penetration tests are mandated by the
FedRAMP program for initial accreditation or to maintain certification under continuous monitoring.
Microsoft hereinafter referred to as “CSP” retained Kratos SecureInfo, an accredited FedRAMP
independent 3PAO, to perform penetration testing of the Azure Commercial hereinafter referred to as
“CSP service” using current FedRAMP penetration testing guidance. Kratos SecureInfo conducted a
proactive and authorized FedRAMP penetration test to validate FedRAMP security controls
implemented on the CSP service. The primary goal for the FedRAMP penetration test includes:
The CSP service is categorized as a FedRAMP Software as a Service (SaaS) Cloud Service Model and is
offered by Microsoft to quickly build, test, deploy, and manage their applications, services, and product
development across a network of Microsoft-managed datacenters within the United States. The
Microsoft Azure platform exports savings to the customer by delivering the software, platform, and
information technology (IT) infrastructure resources where and when it is needed via the Internet.
The following CSP service architectural diagram provides a visual depiction of the system network
components that constitute the portions undergoing the FedRAMP penetration test.
Azure Commercial
Accreditation Boundary
MSFT CORPNet
Admin Interfaces
ADFS
Customer defined
Interface
B Express Route
Internet Commercial
Azure Datacenter
A10 DDOS
Core Router Core Router
C C C C
Customer IaaS Azure Shared Services MSFT 1st Party (Office, CRM, Bing, Xbox, etc)
Storage, Compute,
Storage, Compute, VNets
Vnets, PaaS A
During the penetration test, Kratos SecureInfo attempted to identify exploitable security weaknesses of
the CSP service including cloud service and application flaws, improper configurations, and end-user
behavior to evaluate the CSP’s security policy compliance, employees’ security awareness, and the
organization’s ability to identify and respond to security incidents. Findings were then validated,
documented, and given an appropriate impact rating which can be found in the “Appendix A – Findings”.
1.1. Timeline
The testing was performed remotely from the Kratos SecureInfo lab in Alexandria, Virginia between
1/21/2019 and 5/10/2019.
1.2. Scope
The scope for penetration testing included the agreed upon FedRAMP attack vectors detailed in Table
1-1: FedRAMP Attack Vector Matrix, and authorized in the signed and approved Rules of Engagement
(RoE) submitted as part of the Security Assessment Plan (SAP) for the CSP service offering. In-scope
resources tested include, but were not limited to: Network infrastructure, Internet facing services such
as web applications, Social engineering efforts directed at designated corporate employees, Hosts, and
Datacenter Physical Security.
During the engagement, Kratos SecureInfo did not perform any tests that would knowingly result in a
denial of service (DoS) to operations, networks, servers, or telephone systems. Additional detail can be
found in the CSP service penetration test RoE.
Technology Sections
Attack Vector Description Implemented?
Tested by Attack Vector
External Untrusted to Internal ☐ Web Application
Untrusted. An internet-based ☐ Mobile
attack attempting to gain Application
EXTERNAL TO useful information about or
Implemented ☐ Network
CORPORATE access the target cloud system
through an external corporate ☒ Social
network owned and operated by Engineering
the CSP. ☐ Internal Attack
☒ Web Application
External Untrusted to External ☐ Mobile
Trusted. An internet-based Application
EXTERNAL TO attack as an un-credentialed
Implemented ☒ Network
TARGET SYSTEM third party attempting to gain
unauthorized access to the ☐ Social
target system. Engineering
☐ Internal Attack
☒ Web Application
External Trusted to Internal ☐ Mobile
TARGET SYSTEM Trusted. An external attack as Application
TO CSP a credentialed system user
Implemented ☐ Network
MANAGEMENT attempting to access the CSP
SYSTEM management system or ☐ Social
infrastructure. Engineering
☐ Internal Attack
External Trusted to External
Trusted. An external attack as ☒ Web Application
a credentialed system user, ☐ Mobile
originating from a tenant Application
TENANT TO
environment instance, Implemented ☐ Network
TENANT
attempting to access or ☐ Social
compromise a secondary tenant Engineering
instance within the target ☐ Internal Attack
system.
Internal Untrusted to Internal ☐ Web Application
Trusted. An internal attack ☐ Mobile
attempting to access the Application
CORPORATE TO
target management system from
CSP MANAGEMENT Implemented ☐ Network
a system with an identified or
SYSTEM ☐ Social
simulated security weakness on
the CSP corporate network that Engineering
mimics a malicious device. ☒ Internal Attack
External Untrusted to External ☐ Web Application
Trusted. An attack that ☒ Mobile
emulates a mobile application Application
MOBILE Not
user attempting to access the ☐ Network
APPLICATION Implemented*
CSP target system or the CSP’s ☐ Social
target system’s mobile Engineering
application. ☐ Internal Attack
External Untrusted to Internal
Trusted. Ensure Datacenter
security doors are locked,
PHYSICAL
security alarms work, and
PENETRATION Implemented
security guards are present
TESTING
and alert as required by the
CSP organization’s security
policies and procedures.
Table 1-1: FedRAMP Attack Vector Matrix
Kratos SecureInfo, in collaboration with the CSP, determined that the Mobile Application FedRAMP
attack vector is not applicable. As per the SSP, the offering does not provide Mobile services and is not
included in this report.
Kratos SecureInfo, in collaboration with the CSP, determined that the Physical penetration testing is
applicable Microsoft being responsible for the security controls impacting the physical environment of
Azure. Physical security penetration tests will attempt to simulate an attack by an external untrusted
individual, including any rogue, untrusted Microsoft employee, against each datacenter processing
Azure data. Therefore, the physical penetration testing portion is included in this report.
2. Web Application
2.1. Web Application Overview
The FedRAMP penetration test of the CSP service included Internet-based attacks attempting to gain
unauthorized access to the CSP service web applications and the underlying Application Program
Interface (API). Specifically, Three (3) test cases cover at a minimum:
✓ A simulated Internet attack by an external un-credentialed entity (e.g. public) against the CSP
service web application(s).
✓ A simulated Internet attack by an external credentialed entity (e.g. customer) against the CSP
service management infrastructure.
✓ A simulated Internet attack by an external credentialed entity (e.g. customer #1) on a primary
tenant against a secondary tenant (e.g. customer #2).
URLs in Scope
https://account.activedirectory.windowsazure.com/
adnotifications.windowsazure.com
service.activedirectory.windowsazure.com
service-tip.activedirectory.windowsazure.com
https://acis.engineering.core.windows.net
https://acis-beta.engineering.core.windows.net
https://accounts.accesscontrol.windows.net
data-prod-cus.vaultcore.azure.net
data-prod-eas.vaultcore.azure.net
data-prod-eau.vaultcore.azure.net
data-prod-ejp.vaultcore.azure.net
data-prod-eu2.vaultcore.azure.net
data-prod-eus.vaultcore.azure.net
data-prod-neu.vaultcore.azure.net
data-prod-sau.vaultcore.azure.net
data-prod-sbr.vaultcore.azure.net
data-prod-scu.vaultcore.azure.net
data-prod-sea.vaultcore.azure.net
data-prod-weu.vaultcore.azure.net
data-prod-wjp.vaultcore.azure.net
data-prod-wus.vaultcore.azure.net
https://vault.azure.net
BL2PrdApp01-t1-dsts.dsts.core.windows.net
BL2PrdApp02-t1-dsts.dsts.core.windows.net
BL2PrdApp02-t2-dsts.dsts.core.windows.net
BL2PrdApp11-t1-dsts.dsts.core.windows.net
BL2PrdApp11-t2-dsts.dsts.core.windows.net
BL2PrdApp12-t1-dsts.dsts.core.windows.net
BL3PrdApp06-t1-dsts.dsts.core.windows.net
BL3PrdApp11-t1-dsts.dsts.core.windows.net
BL4PrdApp01-t1-dsts.dsts.core.windows.net
BN1PrdApp02-t1-dsts.dsts.core.windows.net
BN1PrdApp03-t1-dsts.dsts.core.windows.net
BN1PrdApp04-t1-dsts.dsts.core.windows.net
BN3PrdApp01-t1-dsts.dsts.core.windows.net
BN3PrdApp02-t1-dsts.dsts.core.windows.net
BN3PrdApp02-t2-dsts.dsts.core.windows.net
BN3PrdApp04-t1-dsts.dsts.core.windows.net
BN3PrdApp08-t1-dsts.dsts.core.windows.net
BY1PrdApp06-t1-dsts.dsts.core.windows.net
BY1PrdApp06-t2-dsts.dsts.core.windows.net
BY1PrdApp10-t1-dsts.dsts.core.windows.net
BY1PrdApp10-t2-dsts.dsts.core.windows.net
BY1PrdApp14-t1-dsts.dsts.core.windows.net
BY2PrdApp02-t1-dsts.dsts.core.windows.net
BY2PrdApp03-t1-dsts.dsts.core.windows.net
BY3PrdApp01-t1-dsts.dsts.core.windows.net
BY3PrdApp02-t1-dsts.dsts.core.windows.net
BY3PrdApp12-t1-dsts.dsts.core.windows.net
BY3PrdApp13-t1-dsts.dsts.core.windows.net
BY4PrdApp01-t1-dsts.dsts.core.windows.net
CH1PrdApp10-t1-dsts.dsts.core.windows.net
CH1PrdApp13-t1-dsts.dsts.core.windows.net
CH1PrdApp14-t1-dsts.dsts.core.windows.net
CH3PrdApp04-t1-dsts.dsts.core.windows.net
CH3PrdApp04-t2-dsts.dsts.core.windows.net
CH3PrdApp09-T1-dsts.dsts.core.windows.net
CH3PrdApp11-T1-dsts.dsts.core.windows.net
CH3PrdApp11-T2-dsts.dsts.core.windows.net
DM1PrdApp02-t1-dsts.dsts.core.windows.net
DM2PrdApp01-t1-dsts.dsts.core.windows.net
DM2PrdApp02-t1-dsts.dsts.core.windows.net
DM2PrdApp03-t1-dsts.dsts.core.windows.net
DM2PrdApp04-t1-dsts.dsts.core.windows.net
DM2PrdApp05-t1-dsts.dsts.core.windows.net
DM2PrdApp06-t1-dsts.dsts.core.windows.net
SN2PrdApp07-t1-dsts.dsts.core.windows.net
SN3PrdApp01-t1-dsts.dsts.core.windows.net
SN3PrdApp02-t1-dsts.dsts.core.windows.net
SN3PrdApp11-T1-dsts.dsts.core.windows.net
SN3PrdApp12-T1-dsts.dsts.core.windows.net
SN3PrdApp12-t2-dsts.dsts.core.windows.net
https://login.microsoftonline.com/
https://fabriclogs.cloudapp.net/
account.activedirectory.windowsazure.com
account-tip.activedirectory.windowsazure.com
https://icm.ad.msft.net/
https://jitaccess.security.core.windows.net/
https://jitaccess-validation.security.core.windows.net/
https://firstparty.monitoring.windows.net/
https://monitoring.windows.net/
https://production.billing.monitoring.core.windows.net/
https://production.diagnostics.monitoring.core.windows.net
https://production.runners.monitoring.core.windows.net
https://admin.core.windows.net
https://cache1.ext.azure.com
https://cache2.ext.azure.com
https://portal.aadrm.com
https://portal.azurerms.com
https://production.secretstore.core.windows.net
https://passwordreset.microsoftonline.com/
https://wanetmon.cloudapp.net
https://dm1prdstr06b.stamp-diagnostics.store.core.windows.net/cws/
https://dm1prdstr06b.stamp-diagnostics.store.core.windows.net/sds/
https://dm1prdstr06b.stamp-diagnostics.store.core.windows.net/
https://location.core.windows.net
https://storageaccount.core.windows.net
https://xlocationch3prod.location-diagnostics.store.core.windows.net/
However, many applications were not accessible. Therefore, the list below portrays which web
applications could be accessed:
Accessible URLs
https://account.activedirectory.windowsazure.com/
https://acis.engineering.core.windows.net
https://acis-beta.engineering.core.windows.net
https://accounts.accesscontrol.windows.net
https://passwordreset.microsoftonline.com/
https://wanetmon.cloudapp.net
https://portal.azurerms.com
https://login.microsoftonline.com/
https://fabriclogs.cloudapp.net/
account.activedirectory.windowsazure.com
account-tip.activedirectory.windowsazure.com
https://icm.ad.msft.net/
https://jitaccess.security.core.windows.net/
https://jitaccess-validation.security.core.windows.net/
https://firstparty.monitoring.windows.net/
https://monitoring.windows.net/
https://production.billing.monitoring.core.windows.net/
https://production.diagnostics.monitoring.core.windows.net
Architecture Version
[To be inserted in the final version]
Table 2-2: Azure Commercial Architecture
The following JavaScript libraries, which are all out of date, are included on the server.
• angularjs 1.3.0 (portal.azurerms.com)
• angular-translate 2.7.2 (portal.azurerms.com)
• angular-translate 2.11.1 (icm.ad.msft.com)
• bootstrap 3.3.6 (icm.ad.msft.com)
• FastClick 0.6.12 (portal.azurerms.com)
• jQuery 1.12.1 (icm.ad.msft.com)
• jQuery 1.12.2 (account.activedirectory.windowsazure.com)
• jquery cookie plugin 1.4.1 (portal.azurerms.com)
• modernizr 3.0.0pre (icm.ad.msft.com)
• momentjs 2.10.6 (portal.azurerms.com)
• placeholder 2.0.9 (portal.azurerms.com)
• sizzle css 2.2.0-pre (portal.azurerms.com)
Testers were not able to confirm with certainty that the vulnerable functions were implemented in an
unsafe manner. A temporal CVSS score was documented to reflect this uncertainty.
Recommendation
Updating JS libraries is typically trivial. However, testing should be conducted to ensure any changes to
the code, especially major version changes. JS libraries typically do not contain major security
vulnerabilities, but should be kept up to date regardless to prevent exploitation when one does occur. A
web vulnerability scanner or library manager should also be utilized to detect when software becomes
out of date to aid in updating the software.
The token needed for two-factor authentication can be gained by direct phone call, or by utilizing
Microsoft Authenticator as a means to verify the login. Once that is completed, a session token along
with a session cookie is created. Figure 2-4 and Figure 2-5 show the identified session token along with
the session cookie being set as well as its proper flags.
Microsoft Azure Commercial suite utilizes the WS-Federation Authentication Module as shown Figure
2-6 below. The WS-Federation module allows federated authentication to ASP.NET applications. Testers
did not discover any findings with the WS-Federation Authentication Module being used with the
Microsoft Azure suite authentication process.
Cross-origin resource sharing vulnerabilities arise when web application trust arbitrary origins, allowing
two-way interaction by third-party web sites. The site specifies the header Access-Control-Allow-
Credentials: true, which gives an attacker the potential to carry out privileged actions and retrieve
sensitive information.
An attacker can use a CORS html page along with a valid domain and website. Figure 2-9 shows the
browser setting the origin to the domain that makes the request while the user is in session in the
following screenshots shown below.
Figure 2-9: Browser setting origin in request headers and shown in response headers
After successfully making a CORS request, an attacker can utilize this method in order to obtain
privileged application information.
Recommendation
Rather than using a wildcard or programmatically verifying supplied origins, the recommended course of
action would be to use a whitelist of trusted domains in order to prevent any untrusted third-party
domains from making a cross-site request.
2.2.2.3. Authorization
The Microsoft Azure Commercial defined roles were tested in an attempt to determine if privilege
enforcement issues exist. For example, the testers were given their vendor accounts as means to gain
user access to the Microsoft Azure Commercial suite. Testers attempted to gain and maintain privilege
escalation in order to make unauthorized administrative changes. However, the testers were
unsuccessful. No findings were discovered.
3. Mobile Application
3.1. Mobile Application Overview
The FedRAMP defined mobile application attack vector emulates a malicious mobile user attempting to
access the CSP service offering, specifically targeting the mobile application infrastructure offered by the
tenant. Mobile application authorization boundaries are determined by the System Security Plan (SSP)
and the CSP service penetration test Rules of Engagement (RoE). For this engagement it was determined
that the mobile attack vector was not applicable. Further information as to why this vector was not
included can be found in the Attack Vectors section above.
4. Network
4.1. Network Overview
The FedRAMP penetration test of the CSP service included external public Internet testing the network
infrastructure and external security posture. The focus was to gain unauthorized access to the CSP
service via the network infrastructure. Specifically, tests simulated an external attack by an external un-
credentialed entity (e.g. public) against the CSP service network infrastructure, as configured in a
production environment. In addition to Network penetration test case(s), FedRAMP required the
following activities to be performed:
✓ Network discovery
✓ Network exploitation
✓ Network post-exploitation, if exploitation was successful
Successful exploitation of the external CSP service did not lead to new access path(s). FedRAMP required
post-exploitation activities to explore overall risk of a vulnerability to the CSP service as a whole. By
performing post-exploitation, it was possible to assess confidence that any impact of the vulnerability is
valid.
Publicly identified
NMAP
services HTTP_Services.csv
Identified operating
NMAP
systems OS_Detect.csv
100%
90% 85.90%
80%
70%
60%
50%
40%
30%
20% 12.53%
10% 1.18% 0.07%
0%
Public 10.0.0.0 192.168.0.0 100.64.0.0
As shown by the Frequency analysis the IP address space available over the public internet is limited to
1.18% of the overall scope demonstrating a limited surface of public exposure. The testers used multiple
discovery techniques and different tools in an attempt to gain externally available information however
no such information was identified. Sample scan output demonstrating discovery is shown in Figure 4-2:
Host Discovery and Figure 4-3: Service Ping Discovery.
Discovery identified two publicly accessible web servers. Testers reviewed these available services to
identify any vulnerabilities. One host identified returned a directory listing containing 2 ASP.net files and
a web configuration file. The directory listing is demonstrated in Figure 4-4: Directory listing.
Reviewing the CoreSmoke ASP.Net file disclosed a few installed components however no version
numbers were identified as well as no way to interact with the file beyond viewing its results. The test
results are shown in Figure 4-5: Core Smoke test.
Testers attempted to review the configuration file however an application error was returned and no
sensitive data was able to be obtained. This error is demonstrated in Figure 4-6: Runtime Error.
After reviewing the contents of the web services as well as the version information remotely disclosed
testers were unable to identify and paths of exploitation.
5. Social Engineering
5.1. Social Engineering Overview
The FedRAMP penetration test of the CSP service included an Internet-based attack attempting to gain
useful information about the CSP service offering. The primary goal of the social engineering effort is to
access the CSP service through the corporate network owned and operated by the CSP. The penetration
test attempted to simulate an attack by an external untrusted entity (i.e. public) against designated in-
scope CSP service personnel. A comprehensive Open Source Intelligence (OSINT) discovery process
along with a coordinated, but unannounced, spear phishing exercise was accomplished. The principle
reasoning is to gain insight into the possibility of exploiting weaknesses in the human factor coupled
leveraging corporate trust relationships to obtain an access path into the CSP service. Only employees,
who are affiliated with the CSP service and as determined by Open Source Intelligence (OSINT)
information, are targeted in this test. The vector primarily involves public information gathering of any
data of value to facilitate an attack against the CSP Service, followed by an unannounced spear phishing
campaign. As stated in the RoE, CSP service personnel were not targeted specifically to disclose Personal
Identifiable Information (PII), as defined by NIST Special Publication 800-122. The scope of the CSP
service phishing reconnaissance includes CSP service personnel with approved access to environments
within the CSP service accreditation boundary. The actual scope of the exercise was determined during
the CSP service Penetration Test RoE creation. During Open Source Intelligence (OSINT) efforts,
employees affiliated with the CSP service are identified and included in the Social Engineering
exploitation phase, which may additionally include an agreed upon sample of accounts provided by the
CSP. In such cases, those personnel were incorporated into Social Engineering spear phishing campaign.
If an employee is determined to be no longer employed by the CSP, although reported, such personnel
were removed from the scope.
Description Result
Social Engineering post-exploitation activities are not required by FedRAMP. Collection of statistics of
the unannounced spear phishing campaign toward the CSP service system administrators on the
approved list is, however, reportable to FedRAMP. The Spear Phishing campaign was unannounced and
launched from the Kratos SecureInfo lab on 4/29/2019 at 16:45 EST. Spear Phishing ended on 5/3/2019
at 23:59 EST.
99%
6. Internal Attack
6.1. Internal Attack Overview
The FedRAMP penetration tests included representative corporate assets to determine the security
posture against threats to the CSP originating from the corporate environment. The focus was to
identify and exploit vectors on corporate assets to access systems within the CSP service boundary.
Specifically, tests exploited any trust relationships between the CSP service and corporate environment
by simulating an internal attack by an internal credentialed entity against the CSP service management
infrastructure. In addition to the Internal Attack penetration test case(s), FedRAMP required the
following activities to be performed:
This exploit is done by booting the windows machine to an installation copy of Windows 10. From the
initial installation screen, by pressing Shift + F10, a Command Prompt window will appear.
Once inside command prompt, the penetration test team changed directories to the internal drive “C:”
and copied the executable that runs when Shift is pressed five times. This executable is named
“sethc.exe.” By copying the Administrator command prompt, located at C:\windows\system32\cmd.exe,
and replacing the “sethc.exe” with this “cmd.exe” executable, the penetration test team was able to
execute an Administrator command shell from the login screen of the Windows operating system.
Multifactor authentication was required to access the laptop. An approved VPN was required to access
the environment. Just-in-time (JIT) access is required to access any asset within the environment,
scoping the potential targets (beyond the actual laptop, which is a corporate asset) for compromise
down to only include the Azure Jump Boxes. Risk is still present, but these mitigations and reduced
scope of potential targets lowers the likelihood of exploitation. This vulnerability is addressed as PF-
2019-1 in Appendix A.
Once an Administrator command prompt was obtained, the penetration test team used the “net user”
commands to reset the Administrator password to “MsftPassword1” and proceeded to log in as the
local Administrator on the Azure laptop.
7. Physical Security
7.1. Physical Security Overview
The FedRAMP penetration test of the CSP service included physical security tests attempting circumvent
datacenter physical security to gain unauthorized access to critical CSP service assets. Physical security
penetration tests attempt to simulate an attack by an external untrusted individual, such as an
untrusted CSP employee, against each datacenter processing CSP service data. The CSP service
environment has 33 separate datacenters in the Commercial Cloud offering. The full datacenter reports
are available for review as part of the evidence package provided with this report. The scope of physical
security testing is described in the CSP service Penetration Testing RoE document attached as artifact
PT-001 in “Appendix C – Evidence”. Detailed information about the datacenters is listed in Table 7-1.
Appendix A – Findings
Findings File
Please see Appendix A -
2019 Azure Commercial
This Excel Spreadsheet Contains Penetration Test
Penetration Test
Findings.
Findings.xlsx in the
provided package
Appendix C – Evidence
Evidence ID Description Test Section Artifact
This artifact
Please see PT-001
contains the Rules
Rules of
of Engagement (RoE)
PT-001 Other Engagement.pdf in the
signed between
provided evidence
Kratos SecureInfo
package.
and CSP.
Please see PT-002
This artifact
Network in the
PT-002 contains scanning Networking
provided evidence
evidence.
package.
Please see PT-003
This artifact
Reconng.html in the
PT-003 contains the recon- Social Engineering
provided evidence
ng report
package.
This artifact
contains the Web Please see PT-004
Application Burp Burp Evidence in the
PT-004 Web Application
Report and intruder provided evidence
attack used to package.
discover FPD.
Please see PT-005
This artifact
Dig.txt in the
PT-005 contains the Dig Other
provided evidence
results.
package.
This artifact Please see PT-006
contains the Outdated JavaScript
PT-006 screenshots showing Web Application Libraries.zip in the
JavaScript library provided evidence
versions. package.