Extensible Azure Security Tool (Later referred as E.A.S.T) is tool for assessing Azure and to some extent Azure AD security controls. Primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.
This tool is licensed under MIT license.
git diff HEAD^1
¹ as content.json has predetermined order of results⚠️Word of caution, if want to check deltas of content.json, then content.json will need to be “unignored” from .gitignore
exposing results to any upstream you might have configured.
Note: Use this feature with caution, and ensure you don’t have public upstream set for the branch you are using this feature for
Change of programming patterns to avoid possible race conditions with larger datasets. This is mostly changes of using var
to let
in for await
-style loops
⚠️ Current status of the tool is beta
exec()
– While I have not reviewed all paths, I believe that achieving shellcode execution is trivial. This tool does not assume hostile input, thus the recommendation is that you don’t paste launch arguments into command line without reviewing them first.To reduce amount of code we use the following depedencies for operation and aesthetics are used (Kudos to the maintainers of these fantastic packages)
package | aesthetics | operation | license |
---|---|---|---|
axios | ✅ | MIT | |
yargs | ✅ | MIT | |
jsonwebtoken | ✅ | MIT | |
chalk | ✅ | MIT | |
js-beautify | ✅ | MIT |
Other depedencies for running the tool: If you are planning to run this in Azure Cloud Shell you don’t need to install Azure CLI:
Azure Cloud Shell (BASH) or applicable Linux Distro / WSL
Requirement | description | Install |
---|---|---|
✅ AZ CLI | AZCLI USE | curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash |
✅ Node.js runtime 14 | Node.js runtime for EAST | install with NVM |
EAST provides three categories of controls: Basic, Advanced, and Composite
The machine readable control looks like this, regardless of the type (Basic/advanced/composite):
{ "name": "fn-sql-2079", "resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079", "controlId": "managedIdentity", "isHealthy": true, "id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079", "Description": "\r\n Ensure The Service calls downstream resources with managed identity", "metadata": { "principalId": { "type": "SystemAssigned", "tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3", "principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8" }, "roles": [{ "role": [{ "properties": { "roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8", "scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079", "createdOn": "2021-12-27T06:03:09.7052113Z", "updatedOn": "2021-12-27T06:03:09.7052113Z", "createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851", "updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851" }, "id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674", "type": "Microsoft.Authorization/roleAssignments", "name": "ada69f21-790e-4386-9f47-c9b8a8c15674", "RoleName": "Contributor" }] }] }, "category": "Access" },
Basic controls include checks on the initial ARM object for simple “toggle on/off”- boolean settings of said service.
Example: Azure Container Registry adminUser
Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and it’s relation to other services.
Example: Role Assignments
Besides checking the role assignments of subscription, additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN’s with client secrets)
Example: Azure Data Factory
Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via run history of the said activities.
Composite controls combines two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST
Example: composite_resolve_alerts
EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc
While this tool does not distribute pandoc, it can be used when creation of the reports, thus the following citation is added: https://github.com/jgm/pandoc/blob/master/CITATION.cff
cff-version: 1.2.0
title: Pandoc
message: "If you use this software, please cite it as below."
type: software
url: "https://github.com/jgm/pandoc"
authors:
- given-names: John
family-names: MacFarlane
email: jgm@berkeley.edu
orcid: 'https://orcid.org/0000-0003-2557-9090'
- given-names: Albert
family-names: Krewinkel
email: tarleb+github@moltkeplatz.de
orcid: '0000-0002-9455-0796'
- given-names: Jesse
family-names: Rosenthal
email: jrosenthal@jhu.edu
This part has guide how to run this either on BASH@linux, or BASH on Azure Cloud Shell (obviously Cloud Shell is Linux too, but does not require that you have your own linux box to use this)
⚠️ If you are running the tool in Cloud Shell, you might need to reapply some of the installations again as Cloud Shell does not persist various session settings.
Fire and forget prerequisites on cloud shell
curl -o- https://raw.githubusercontent.com/jsa2/EAST/preview/sh/initForuse.sh | bash;
Prerequisites
git clone https://github.com/jsa2/EAST --branch preview cd EAST; npm install
Pandoc installation on cloud shell
# Get pandoc for reporting (first time only) wget "https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-linux-amd64.tar.gz"; tar xvzf "pandoc-2.17.1.1-linux-amd64.tar.gz" --strip-components 1 -C ~
Installing pandoc on distros that support APT
# Get pandoc for reporting (first time only) sudo apt install pandoc
# Relogin is required to ensure token cache is placed on session on cloud shell az account clear az login # cd EAST # replace the subid below with your subscription ID! subId=6193053b-408b-44d0-b20f-4e29b9b67394 # node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId
Generate report
cd EAST; node templatehelpers/eastReports.js --doc
cd EAST; node templatehelpers/eastReports.js --doc --asb
Export report from cloud shell
pandoc -s fullReport2.md -f markdown -t docx --reference-doc=pandoc-template.docx -o fullReport2.docx
Azure Devops (Experimental) There is Azure Devops control for dumping pipeline logs. You can specify the control run by following example:
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId --azdevops "organizationName"
Community use
Company use
Non IPR components
If you use this tool as part of your commercial effort we only require, that you follow the very relaxed terms of MIT license
Existing tooling enhanced with Node.js runtime
Use rich and maintained context of Microsoft Azure CLI login & commands
with Node.js control flow which supplies enhanced rest-requests and maps results to schema.
View more details
✅ Using Node.js runtime as orchestrator utilises Nodes asynchronous nature allowing batching of requests. Batching of requests utilizes the full extent of Azure Resource Managers incredible speed.
✅ Compared to running requests one-by-one, the speedup can be up to 10x, when Node executes the batch of requests instead of single request at time
Example:
node ./plugins/main.js --batch=10 --nativescope --roleAssignments --helperTexts=true --checkAad --scanAuditLogs --composites --shuffle --clearTokens
Param | Description | Default if undefined |
---|---|---|
--nativescope | Currently mandatory parameter | no values |
--shuffle | Can help with throttling. Shuffles the resource list to reduce the possibility of resource provider throttling threshold being met | no values |
--roleAssignments | Checks controls as per microsoft.authorization | no values |
--includeRG | Checks controls with ResourceGroups as per microsoft.authorization | no values |
--checkAad | Checks controls as per microsoft.azureactivedirectory | no values |
--subInclude | Defines subscription scope | no default, requires subscriptionID/s, if not defined will enumerate all subscriptions the user have access to |
--namespace | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope | optional parameter |
--notIncludes | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope are excluded | optional parameter |
--batch | size of batch interval between throttles | 5 |
--wait | size of batch interval between throttles | 1500 |
--scanAuditLogs | optional parameter. When defined in hours will toggle Azure Activity Log scanning for weak authentication events defined in: scanAuditLogs | 24h |
--composites | read composite | no values |
--clearTokens | clears tokens in session folder, use this if you get authorization errors, or have just changed to other az login accountuse az account clear if you want to clear AZ CLI cache too | no values |
--tag | Filter all results in the end based on single tag--tag=svc=aksdev | no values |
--ignorePreCheck | use this option when used with browser delegated tokens | no values |
--helperTexts | Will append text descriptions from general to manual controls | no values |
--reprocess | Will update results to existing content.json. Useful for incremental runs | no values |
Parameters reference for example report:
node templatehelpers/eastReports.js --asb
Param | Description | Default if undefined |
---|---|---|
--asb | gets all ASB results available to users | no values |
--policy | gets all Policy results available to users | no values |
--doc | prints pandoc string for export to console | no values |
Read here Running in restricted environments
Developer guide including control flow description is here dev-guide.md
✅ Check roles that are assigned to function managed identity in Azure AD and all Azure Subscriptions the audit account has access to
✅ Relation mapping, check which keyVaults the function uses across all subs the audit account has access to
✅ Check if Azure AD authentication is enabled ✅ Check that generation of access tokens to the api requires assigment .appRoleAssignmentRequired
✅ Audit bindings
✅ Check if SCM and FTP endpoints are secured
⚠️ Detect principals in privileged subscriptions roles protected only by password-based single factor authentication.
Maps to App Registration Best Practices
✅State healthy
– User result example
{ "subscriptionName": "EAST -msdn", "friendlyName": "joosua@thx138.onmicrosoft.com", "mfaResults": { "oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097", "appliedPol": [{ "GrantConditions": "challengeWithMfa", "policy": "baseline", "oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097" }], "checkType": "mfa" }, "basicAuthResults": { "oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097", "appliedPol": [{ "GrantConditions": "challengeWithMfa", "policy": "baseline", "oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097" }], "checkType": "basicAuth" }, }
⚠️State unHealthy
– Application principal example
{ "subscriptionName": "EAST - HoneyPot", "friendlyName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394", "creds": { "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName,appId,keyCredentials,passwordCredentials,servicePrincipalType)/$entity", "id": "babec804-037d-4caf-946e-7a2b6de3a45f", "displayName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394", "appId": "5af1760e-89ff-46e4-a968-0ac36a7b7b69", "servicePrincipalType": "Application", "keyCredentials": [], "passwordCredentials": [], "OnlySingleFactor": [{ "customKeyIdentifier": null, "endDateTime": "2023-10-20T06:54:59.2014093Z", "keyId": "7df44f81-a52c-4fd6-b704-4b046771f85a", "startDateTime": "2021-10-20T06:54:59.2014093Z", "secretText": null, "hint": null, "displayName": null }], "StrongSingleFactor": [] } }
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…