How to hack the domain controller in Azure


Summer is over and earlier in the summer I noticed that through Azure it is possible to add local users to Active Director's domain controller as this is not really a privilege escalation or the actual security Exploit, so I will post this video.

At the end of the article is a link to the steps themselves, which also contain remediation steps

So what is the problem here?

We currently live on hybrid world where on-premise services “Active Directory” is more likely expanded to Azure. When someone who has access to your virtual machine “Domain Controller “ with contribute access rights he can also control your Active Directory domain if he want.

If someone add user account trough azure dc it will be replicated all other domain controllers in your domain including your on-premise domain controller, if expanded to Azure.

Or wait what happens if someone denotes domain controller trough this way and add’s parameter “last dc on domain”?

You can start test your backups ;)

If your Azure subscription are provided trough CSP channel. CSP provider has automatically subscription owner access rights to to your subscription, so they can also run custom script extensions.

What is the preferred way to fix this

Dear Microsoft please remove “adding custom scripts extensions” or add some kind safe mechanism, example look inside of script and if you found unsafe commands then block it. You have disabled user adding/password change from UI when VM is domain controller.

Link to the github