BARK Tool Assists Research on Azure Key Vault Operations
/ 3 min read
Quick take - BARK is a research tool that facilitates adversarial tradecraft involving Azure Key Vault by providing various functions for token acquisition, key vault management, and data encryption and decryption, while also serving as a resource for both red team operators and defenders in automating key vault inventory and audit processes.
Fast Facts
- BARK is a research tool for adversarial tradecraft involving Azure Key Vault, utilizing a dedicated API for data plane operations.
- It requires proper authentication via bearer tokens for access to Azure Key Vault and Azure REST API, with various methods available for token acquisition.
- BARK includes functions for managing key vaults, enumerating items (secrets, keys, certificates), and adjusting permissions, such as
Get-AllAzureRMKeyVaultsandNew-AzureKeyVaultAccessPolicy. - The tool allows operators to encrypt and decrypt data using Azure Key Vault keys, with functions like
Protect-StringWithAzureKeyVaultKeyandUnprotect-StringWithAzureKeyVaultKey. - BARK’s capabilities support both red team operators in assessments and defenders in automating key vault inventory and audit processes.
BARK: A Tool for Adversarial Tradecraft with Azure Key Vault
Overview of Azure Key Vault
BARK is a tool designed to assist in research related to adversarial tradecraft involving Azure Key Vault. Azure Key Vault is equipped with a dedicated API for data plane operations. Proper authentication through a bearer token with the correct audience is necessary for both Azure Key Vault and Azure REST API access.
Token Acquisition and Management
BARK offers a variety of functions to facilitate the acquisition of tokens for the Azure REST API. Methods include:
Get-AzureRMTokenWithUsernamePasswordGet-AzureRMTokenWithPortalAuthRefreshTokenGet-AzureRMTokenWithClientCredentialsGet-AzureRMTokenWithRefreshToken
Specific functions for obtaining tokens tailored for the Azure Key Vault REST API include:
Get-AzureKeyVaultTokenWithUsernamePasswordGet-AzureKeyVaultTokenWithClientCredentials
For managing key vaults and their items, BARK provides several enumeration functions through the Azure REST API. Users can employ Get-AllAzureRMKeyVaults to list all key vaults. Functions such as:
Get-AzureRMKeyVaultSecretsGet-AzureRMKeyVaultSecretVersionsGet-AzureRMKeyVaultKeysGet-AzureRMKeyVaultKeyVersionsGet-AzureRMKeyVaultCertificates
are available to enumerate specific items within these vaults. BARK also includes functions for adjusting permissions on key vaults and their items, notably:
New-AzureRMRoleAssignmentNew-AzureKeyVaultAccessPolicy
For collecting key vault secret values, the function Get-AzureRMKeyVaultSecretValue is available.
Data Encryption and Practical Applications
BARK provides functionality for encrypting and decrypting data using the Azure Key Vault REST API. Methods such as:
Protect-StringWithAzureKeyVaultKeyUnprotect-StringWithAzureKeyVaultKey
are included. The article illustrates the practical application of these functions through the scenario of a red team operator conducting an assessment.
The operator may possess read access to one or more Azure Resource Manager (ARM) subscriptions. They can leverage BARK to request a token for the ARM REST API using Get-AzureRMTokenWithUsernamePassword. By utilizing the Get-AllAzureRMSubscriptions function, the operator can identify all subscriptions within their access.
To locate key vaults associated with each subscription, the operator can loop through the subscriptions and employ the Get-AllAzureRMKeyVaults function. It is essential for the operator to obtain a token with the correct audience to enumerate secrets, keys, and certificates in the key vaults, which can be done using Get-AzureKeyVaultTokenWithUsernamePassword.
The operator can subsequently list items in each key vault and read the value of a secret, revealing the plaintext value. Furthermore, the operator has the capability to encrypt data using key vault keys and decrypt data that was previously encrypted with those keys.
Key vault certificates maintain their public portion within the certificate object, while their private portion is stored in a secret. Operators can correlate certificate and secret identifiers to identify private keys, which can then be extracted using the Get-AzureRMKeyVaultSecretValue function.
These commands validate Microsoft’s documentation on API functions and authorization decisions. They also serve as valuable tools for defenders to automate key vault inventory and audit processes. Professional red team operators can utilize these functions for authorized assessment-related actions, encompassing reconnaissance and credential access tasks.
Original Source: Read the Full Article Here
