Azure App Services stores encrypted tokens for authenticated sessions that can be decrypted by users with Contributor permissions, enabling access to applications as other users. A PowerShell tool has been developed to automate the extraction and decryption of these tokens, aiding penetration testers in simulating real-world attacks. #AzureAppServices #EasyAuth #GetAzWebAppTokens
Keypoints
- Azure App Services supports multiple identity providers and encrypts tokens on the host system for authenticated sessions.
- Tokens and the decryption key are accessible to users with Contributor permissions on the App Services resource.
- A PowerShell function (Get-AzWebAppTokens) has been added to the MicroBurst repository to automate token extraction and decryption.
- The tokens are stored in JSON files on the App Services container file system, accessible via commands run on the container using the Kudu API endpoint.
- The function currently supports Microsoft Identity Provider configurations and requires management scoped tokens for execution.
- Detection opportunities include monitoring Azure Diagnostic Logs for command execution via Kudu APIs under HTTP Logs.
- The tool is designed to assist penetration testers in replicating token dumping attacks to improve detection capabilities.
MITRE Techniques
- [T1550] Use of Application Access Tokens β Decrypting and abusing tokens stored in Azure App Services to access applications as other users (ββ¦decrypt the token files with the extracted keyβ¦β).
- [T1059] Command and Scripting Interpreter β Executing OS commands on App Services containers via the Kudu API endpoint to retrieve tokens and environment variables (ββ¦run operating system commands on the application containersβ¦β).
Indicators of Compromise
- [File Path] Encrypted token file locations β Linux: /home/data/.auth/tokens, Windows: C:homedata.authtokens
- [API Endpoint] Kudu API command execution endpoint β /api/command used for running commands on App Services containers
- [PowerShell Script] Get-AzWebAppTokens.ps1 β PowerShell tool script used for automating token extraction and decryption