Introduction to Azure Cloud Token Theft MindMap V1

Recently I’ve uploaded a Mind Map to my Azure Red Team repository on Token theft decisioning during authorized penetration test or red team engagements. While there are an abundance of tools that help aid in token theft, I’ve mapped out my decision tree that provides the most effective means to get information that may lead to possible privilege escalation out in the Azure cloud. You can find the Mind Map here:

Azure-Red-Team/Tokens/TokenMindMap.jpg at master · rootsecdev/Azure-Red-Team

This Mind Map does not cover primary refresh token theft methods and user agent based behaviors. Those will result in future Mind Maps around those decision making processes.

To mitigate token theft I highly recommend implementing some of Microsoft’s recommended conditional access policies:

Secure your resources with Conditional Access policy templates - Microsoft Entra ID

For Secure Foundation:

• Require compliant or Microsoft Entra hybrid joined device or MFA for all users

I suggest for this policy to do seperate policies between requiring compliance, hybrid join, and MFA. Hybrid join is very effective at mitigating external token based theft.

For Remote Work:

• Block access for unknown or unsupported device platforms

This policy will make you more resistant to device platform abuse and misconfigurations when attacker just get weird with user agent strings.

Other resources worth bookmarking:

Token theft playbook

https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/