Azure Defender for ARM in Azure Security Center

| ,

Published on | Updated on December 8, 2020

6 Min. Read

In this article, I will share with you how to use advanced threat protection for Azure Resource Management (ARM) layer in Azure Security Center.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.
  2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender plan (formerly known as the Standard Tier).

Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

Azure Security Center is continuously expanding, the Azure Security Center team just announced the public preview for two new offerings for Azure Defender. Advanced Threat Protection (ATP) for the Azure Resource Manager (ARM) and Azure DNS layer. The two new offerings expanding Azure Security Center breadth threat protection coverage for Azure environments.

In this article, I will share with you how to use advanced threat protection for Azure Resource Management (ARM) layer, and in the next article, I will share with you how to use advanced threat protection for the Azure DNS layer in Azure Security Center.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center with Azure Defender enabled. Azure Defender for Resource Manager enabled per subscription under the Pricing & Settings page as shown below. Please note there is no additional cost during the (preview) period. Azure Defender for ARM in Azure Security Center 1
  3. Azure VM running in any of your subscriptions with Azure Defender for Resource Manager enabled.

Simulate Azure Resource Management alert

Assuming you have all the prerequisites in place, take now the following steps:

To simulate a possible attack on the Azure resource management layer, I will utilize a tool called PowerZure.

PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s Azure cloud platform. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources. You can read more about PowerZure here.

Download ‘PowerZure.ps1’ from the PowerZure GitHub repository here (I highly recommend downloading this file to a sandbox machine, not in your production machine) – Neither the author of the PowerZure project nor Microsoft are responsible for any damage that may happen to your machine as a result of downloading or running this file.

Next, run the ‘PowerZure.ps1’ script. You may be asked to install the missing PowerShell modules (Azure Az, Azure AD). You may also need to set the Security Protocol Type to TLS1.2 by running the following command:

# Set TLS version 1.2
# Note: the command below only affects the current PowerShell session and does not persist
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

After installing both modules, please open a new PowerShell window and re-import PowerZure to continue.

# Import PowerZure PowerShell module
Import-Module C:\Location\PowerZure.PS1

Login to your Azure environment by running the Connect-AzAccount cmdlet.

Next, set the subscription ID you would like to use by running the following command (you need to select the subscription which has Resource Manager enabled).

# Set your default subscription with 'Set-AzContext -Subscription {id} if you have multiple subscriptions
Set-AzContext -Subscription <SubID>

Next, you need to create a new Azure Automation Account in your active subscription. Open the Azure portal, click All services found in the upper left-hand corner. In the list of resources, type Automation. As you begin typing, the list filters based on your input. Select Automation Accounts. Click +Add

Select the desired Subscription, Resource group, and the Location for the automation account and then click ‘Create‘.

Azure Defender for ARM in Azure Security Center 2

Once the Automation Account is created, run the ‘Get-AzureRunAsCertificate’ function of PowerZure as follows:

# Run the ‘Get-AzureRunAsCertificate’ function of PowerZure
Get-AzureRunAsCertificate -AutomationAccount <AutomationAccountName> -Verbose

The ‘Get-AzureRunAsCertificate‘ function will gather a RunAs accounts certificate if one is being used by an automation account, which can then be used to login as that account. By default, RunAs accounts are contributors over the subscription.

Please note that Advanced Threat Protection (ATP) for Azure Resource Management can catch things more sophisticated than that, it’s just a sample alert generated by PowerZure using an automation account. ATP can also detect if Antimalware exclusions were removed from an IaaS VM with an Antimalware extension. Learn more about the current detection capabilities for Azure ARM in the summary section.

Clean up your environment after you have finished with PowerZure – remove all unfamiliar resources from your subscription, delete all unfamiliar user-accounts in your environment.

Investigate security alerts for ARM

At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around 30 minutes, I hope that Microsoft will improve the detection time once the public preview is over).

Once the detection takes place, a new alert with ‘High Severity‘ will be generated in Security Center | Security alerts dashboard, similar to the one below:

Azure Defender for ARM in Azure Security Center 3

You can select any of the security alerts to view more details about this suspicious activity and Take Action >> as needed.

Azure Defender for ARM in Azure Security Center 4

If you’ve already integrated Azure Security Center with Azure Monitor, then you will also receive a notification based on the action group that you specified. In my example, I am using email notifications. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

Azure Defender for ARM in Azure Security Center 5

And if you’ve connected Azure Security Center to Azure Sentinel which I highly recommend as described in this article, then you can see the same alerts with all relevant data needed for investigation and response as shown in the figure below:

Azure Defender for ARM in Azure Security Center 6

And if you are leveraging the Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your team channel, similar to the one below:

Azure Defender for ARM in Azure Security Center 7

That’s it there you have it!

How Azure Defender for ARM works

Azure Defender for Azure Resource Manager (ARM) protects your Azure resource management layer (Azure portal, Azure APIs, Azure CLI, Azure PowerShell module, Azure programmatic modules) against credentials theft and malicious activities. Advanced Threat Protection in Azure Security Center continuously analyzing the resource management operations in your environment and detects suspicious highly privileged operations and operations that may be originated from unauthorized principals.

Advanced Threat Protection for the Azure Resource Management layer is agentless, you do not need to install any agent or software on the protected resources.

Summary

In this article, I showed you how to use advanced threat protection for Azure Resource Management (ARM) layer in Azure Security Center.

Advanced Threat Protection (ATP) for Azure Resource Management provides additional security intelligence for the management layer that detects unusual and potentially harmful activities performed on the Azure Platform. At the time of this writing, Advanced Threat Protection (ATP) for Azure ARM provides you the following detection capabilities:

  • Usage of PowerZure exploitation toolkit to run an arbitrary code or exfiltrate Automation Account credentials (similar to what I have demonstrated in this article).
  • Usage of PowerZure persistence module to maintain persistence in your Azure environment.
  • Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Automation Account credentials.
  • Usage of NetSPI persistence technique to maintain persistence in your Azure environment.
  • Antimalware disablement in your virtual machine.
  • Antimalware temporarily disablement in your virtual machine.
  • Antimalware disablement and code execution in your virtual machine.
  • Antimalware file exclusion and code execution in your virtual machine.
  • Antimalware file exclusion in your virtual machine.
  • Antimalware file exclusion and code execution in your virtual machine.
  • Antimalware broad files exclusion in your virtual machine.
  • Antimalware real-time protection was disabled in your virtual machine.
  • Antimalware real-time protection was disabled temporarily in your virtual machine.
  • Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine.
  • Custom script extension with suspicious command in your virtual machine.
  • Suspiciously failed execution of custom script extension in your virtual machine.
  • Custom script extension with suspicious entry-point in your virtual machine

Additional resources I highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Azure Defender for Azure DNS in Azure Security Center

Microsoft Certification Changes 2021 and Beyond

Next

0 thoughts on “Azure Defender for ARM in Azure Security Center”

Leave a comment...

Leave a comment below...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Charbel Nemnom’s Blog

Get the latest posts delivered right to your inbox

The content of this website is copyrighted to not plagiarize content!

Please say hello to the author using this form for any script you like.

Thank you for visiting!