Cybersecurity researchers have discovered a sophisticated attack technique that exploits Microsoft Azure Arc deployments to gain persistent access to enterprise environments.<\/p>\n
The research, conducted during recent red team operations, reveals how adversaries can leverage misconfigured Azure Arc<\/a> installations to escalate privileges from cloud environments to on-premises systems and maintain long-term persistence through legitimate Microsoft services.<\/p>\n Azure Arc, Microsoft\u2019s hybrid cloud management platform, extends Azure\u2019s native management capabilities to on-premises systems, Kubernetes clusters, and other non-Azure resources.<\/p>\n While designed to streamline hybrid infrastructure management, the service\u2019s deployment mechanisms and configuration processes have introduced new attack vectors that threat actors can exploit.<\/p>\n The research demonstrates how attackers can identify Arc deployments in enterprise environments and abuse common misconfigurations to achieve code execution with system-level privileges.<\/p>\n The attack techniques center around the exploitation of Service Principal credentials that are often hardcoded in deployment scripts or stored in accessible network<\/a> shares.<\/p>\n These credentials, originally intended for automated Arc client registration, can be recovered by attackers who gain access to deployment infrastructure or policy configurations.<\/p>\n Once obtained, these credentials can be weaponized to execute arbitrary code on Arc-managed systems through various Azure management interfaces.<\/p>\n IBM analysts identified<\/a> multiple deployment vectors that introduce security vulnerabilities, including PowerShell scripts with embedded secrets, misconfigured System Center Configuration Manager (SCCM) deployments, and Group Policy Objects (GPOs) that store encrypted credentials using DPAPI-NG.<\/p>\n The research team noted that these deployment methods, while following Microsoft\u2019s official guidance, often result in credential exposure due to overly permissive access controls and inadequate secret management practices.<\/p>\n The most significant finding involves the exploitation of DPAPI-NG encrypted secrets stored in Azure Arc deployment shares.<\/p>\n When Arc is deployed via Group Policy, administrators create network shares containing deployment files, including an \u201cencryptedServicePrincipalSecret\u201d file protected by DPAPI-NG encryption.<\/p>\n However, this encryption is configured to allow any member of the domain computers group to decrypt the secret, effectively making it accessible to any compromised system in the domain.<\/p>\n The decryption process involves accessing the deployment share and using PowerShell<\/a> commands to retrieve the encrypted blob.<\/p>\n Attackers can execute the following technique from any system with NT_AUTHORITYSYSTEM privileges:-<\/p>\n This credential recovery method provides attackers with Service Principal access that can be immediately weaponized for code execution on Arc-managed systems.<\/p>\n The research demonstrates that these recovered credentials often possess elevated privileges beyond their intended scope, including the \u201cAzure Connected Machine Resource Administrator\u201d role, which grants comprehensive management capabilities over Arc deployments.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post Researchers Uncover New Technique to Exploit Azure Arc for Hybrid Escalation in Enterprise Environment and Maintain Persistence<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEitFSr3VzPEQ9uMSBA5TdSm1V7e6KkK6WmCHICmM6f_9NXx_xmeHW2GTcIaJU8SZQd50KXxDIFtFrcYa4Xk9lTUE2CQkEwnrTF01fYyWOQBCvvkkKRSE5ZpZWI9hVALN5LjRsgNXib6L5_SENSIVxZTaBJcmloQlKEbNYxtm0insgvwp8CLmnhg4KxfH60\/s16000\/Arc%2520management%2520overview%2520window%2520%28Source%2520-%2520IBM%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgLVesm5qgCsSQXuthPUHCahsjEudgHBByb6O45PIx2g19E5ZNI_hGvWvuksvUVFY5Ut3me_dmV-FFcWA0wXskTu5uiGyaiZteiK7io_CVL9DhIXbqRkERnsmZGFOPIJWV9BS3gmede0MdxTzm5PjbQsmwfW0-itTbnUUm_u00853u4ObMEHNgYS6CIlSA\/s16000\/Assigning%2520roles%2520as%2520a%2520part%2520of%2520Service%2520Principal%2520creation%2520%28Source%2520-%2520IBM%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgFA0rzRd-PBXRGEXpeBDp5g5SSkXwV_z2Qq2NhyvrSrsWat993HKPPNG3zragBsguKLZ6AihmFCmdzYCC0BhunJdpbFE7GYJxvgG7stSP6Mshta2cAAUVzAZIzAn8Vqgq5bALU8cQaORodIudzSv6awu4PjefmC_tOOOcTZi1fyGkKsxvrzFrfKEEOCDE\/s16000\/Recovering%2520SCCM%2520script%2520used%2520to%2520deploy%2520Arc%2520from%2520SCCM%2520site%2520database%2520with%2520SQLRecon%2520%28Source%2520-%2520IBM%29.webp?ssl=1\")
DPAPI-NG Exploitation and Credential Recovery<\/strong><\/h2>\n
$encryptedSecret = Get-Content (Join-Path $SourceFilesFullPath \"encryptedServicePrincipalSecret\")\n# DPAPI-NG blob configured to allow any member of domain computers group to decrypt<\/code><\/pre>\n