Microsoft hasn't implemented a way to bulk delete indicators into Sentinel which might be an issue if you have conneted to a very noisy feed. This code runs in a Jupyter notebook but if you want to run it standalone you will need to change or remove tqdm (progress bar). The progress bar doesn't show actualy progress, it just moves to indicate "something" is happening.

I am not using the "nextLink" to iterate as it doesn't seem to function correctly using the the "queryIndicators" API endpoint. It's not an issue here as each query should return results that aren't deleted.

The code "works" but there are a number of things that could be improved or fixed. I've succesfully used but I'd recommend understanding Python. Use at your own risk.

import pendulum
from msal import ConfidentialClientApplication
from tqdm.notebook import tqdm
import httpx
import random
import asyncio
import json
import urllib

client_secret = ""
client_id = ""
tenant_id = ""
api_version = "2024-01-01-preview"
subscription = ""
resource_group = ""
workspace = ""
sources_to_delete = []

api_target = f"https://management.azure.com/subscriptions/{subscription}/resourceGroups/{resource_group}/providers/Microsoft.OperationalInsights/workspaces/{workspace}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version={api_version}"
json_body = {
    "sources": sources_to_delete,
    "pageSize": 100,
}
token_issued = pendulum.now()
token_expires = token_issued.subtract(minutes=1)
issued_token = None

app = ConfidentialClientApplication(
    client_id, client_secret, authority=f"https://login.microsoftonline.com/{tenant_id}"
)


def get_token():
    global issued_token
    global token_expires

    if token_expires <= pendulum.now().add(minutes=5):
        print("Refreshing token.")
        issued_token = app.acquire_token_for_client(
            scopes=["https://management.azure.com/.default"]
        )
        token_expires = pendulum.now().add(seconds=issued_token["expires_in"])
        print(f"New expiry: {token_expires.to_iso8601_string()}")
    return issued_token

token = get_token()


def random_bar(bar):
    bar.n = 0 + random.randint(0, 100)
    bar.refresh()
    bar.set_description(random.choice(["Working hard", "Hardly working"]))
headers = {"Authorization": f"Bearer {get_token()['access_token']}"}


bar = tqdm(total=100)


async def delete_indicator(indicator):

    async with httpx.AsyncClient() as client:
        headers = {"Authorization": f"Bearer {get_token()['access_token']}"}

        r_delete = await client.delete(
            f"https://management.azure.com{indicator}?api-version={api_version}",
            headers=headers,
            # params=params,
        )
        r_delete.raise_for_status()


async def gather_deletes(indicators):
    current_indicators = set()
    random_bar(bar)
    bar.set_description(f"Seen {len(seen_indicators)}")
    for indicator in indicators["value"]:
        if indicator["id"] in seen_indicators:
            continue
        seen_indicators.add(indicator["id"])
        current_indicators.add(indicator["id"])

    async with asyncio.TaskGroup() as tg:
        for indicator in current_indicators:
            tg.create_task(delete_indicator(indicator))


async def do_deletes(payload):
    await gather_deletes(payload)

    if "nextLink" in payload:

        r = httpx.post(api_target, headers=headers, json=json_body)

        await do_deletes(r.json())


r = httpx.post(api_target, headers=headers, json=json_body)

await do_deletes(r.json())
bar.close()

A correction to a previous note, indicators are not deleted or deactivated in the 'ThreatIntelligenceIndicator'. You should ensure your retention period on the 'ThreatIntelligenceIndicator' table is 30 days. Once an indicator is removed, it will not updated in this table and be removed after this period. Existing indicators should continue to generate new entries in this table

During some recent self-study, I encountered a scenario where I wanted to use WinRM on a machine and couldn't from Kali due to the limitations of Powershell Core. The target machine was also two pivots deep, so I needed a way to move through those networks to connect to WinRM.

My VPN was running on Kali, and while I could disconnect it and switch to a Windows machine, I still wanted tools on Kali to be available.

Secure Socket Funneling (SSF) to the rescue.

But first, an example of what the environment looks like.

Network Layout

This a sample of what the network looks like. Hopefully it's not too difficult to follow.

• Windows Machine
  • VM Network 192.168.11.3
• Kali Machine
  • VM Network 192.168.11.4
  • VPN Network 10.0.1.14
• Target Environment Host A - Linux
  • External IP 10.0.0.100
  • Internal IP 172.16.1.100
• Target Environment Host B - Windows - this machine is running OpenSSH.
  • Internal IP 172.16.1.5
• Target Host C
  • Internal IP 172.16.2.20
• Kali can connect to Host A only.
• Host A can connect Host B only.
• Host A is firewalled and can't listen on on any extra ports on 10.0.0.100

Setting up the SSF Daemons

SSF binaries: https://securesocketfunneling.github.io/ssf/#download

Host B

We need to get SSF onto the machine, so grab the Windows binaries from the SSF website. We can these over using SCP.

To do this, we need to jump via Host A. Assuming we have some way of unzipping on the Windows machine, perform the following:

scp -J root@10.0.0.100 ./ssf-windows.zip user@172.16.1.5:

If we don't have an easy way to unzip the file, you can recursively the directory over using the following:

scp -r -J root@10.0.0.100 ./ssf-windows/extracted/ user@172.16.1.5:

If the host weren't running OpenSSH, you would need to use another method such as WinRM using this same process.

Once complete, we can now ssh in and set up the daemon by doing the following:

ssh -J root@10.0.0.100 user@172.16.1.5

Then followed by kicking off the ssfd daemon to listen on port 63000:

Expand-Archive ssf-windows.zip
cd .\extracted
.\ssfd -p 63000

Host A

For Host A, grab the Linux binaries and them over. This process is the same as Host B but without the jump host '-J' option.

In this scenario, due to the firewall, we only listen on localhost.

scp ./ssf-windows.zip root@10.0.0.100
ssh root@10.0.0.100
./ssfd -p 63000 -l 127.0.0.1

Kali Machine

Since we need to get the traffic through to Host A, we'll use ssh local port forwarding to get around the firewall issue.

The below command sets up ssh to listen on 1111 and forward it to 63000 on Host A:

ssh -L 1111:127.0.0.1:63000 root@10.0.0.100

Now we set up ssfd on our Kali host. Unzip SSF on Kali and from within the extracted folder run:

./ssfd -p 63000

If you have an SSH server running on your Kali host, you could use SSH forwarding from Windows, but I think that's a bit messier.

Windows Machine

SSF supports routing via several intermediate hosts. To do this, we configure the below JSON config file:

{
  "ssf": {
    "circuit": [
      {"host": "192.168.11.4", "port":"63000"},
      {"host": "127.0.0.1", "port":"1111"}
    ]

    }
  }
}

This config does the following

1. Connects to Kali
2. Connect to Host A via localhost on Kali (the SSH local port forward)

Info on configuring the relay hosts can be found at https://securesocketfunneling.github.io/ssf/#how-to-use-relay-servers

Host B is the last hop, so we don't need it in the config. To connect, we run the following:

.\ssf.exe -c config.json -D 9000 -p 63000 172.16.1.5

We now have dynamic port forwarding on the Windows machine listening on port 9000, which is essentially a socks proxy. Dynamic port forwarding isn't necessarily what we want as we need WinRM. With SSF, you can perform both TCP and UDP forwarding.

We can set up SSF to forward to the WinRM HTTP port on 5985:

.\ssf.exe -c .\c.json -L 6666:172.16.2.5:5985 172.16.1.20 -p 63000

And now we can finally connect to WinRM:

$s = New-PSSession -Port 6666 -ComputerName 127.0.0.1 -Credential 'username'
Enter-PSSession $s

Local UDP/TCP Forwarding Example and Notes

I don't think it's evident in the SSF docs, but you can perform multiple forwards much like SSH, and you can forward both UDP and TCP for the same port.

Here's an example of forwarding some Domain Controller ports to a Windows host on Kali a lot of the UDP ports aren't requried but I assembled this with regex and it was easier.

./ssf  -L 445:172.16.2.5:445 -U 445:172.16.2.5:445 -L 636:172.16.2.5:636 -U 636:172.16.2.5:636 -L 389:172.16.2.5:389 -U 389:172.16.2.5:389 -L 464:172.16.2.5:464 -U 464:172.16.2.5:464 -L 139:172.16.2.5:139 -U 139:172.16.2.5:139 -L 135:172.16.2.5:135 -U 135:172.16.2.5:135 -L 593:172.16.2.5:593 -U 593:172.16.2.5:593 -L 3268:172.16.2.5:3268 -U 3268:172.16.2.5:3268 -L 3269:172.16.2.5:3269 -U 3269:172.16.2.5:3269 -L 88:172.16.2.5:88 -U 88:172.16.2.5:88 -L 137:172.16.2.5:137 -U 138:172.16.2.5:138  -p 63000 172.16.1.20

With the above, you could run enum4linux or crackmapexec against 127.0.0.1. Note that you may need to also provide a DC IP for some commands that talk to Kerberos. Check your command's options and if this is required, set it to 127.0.0.1 in addition.

And that's it.

The SSF docs are available at https://securesocketfunneling.github.io/ssf/#home

Depending on the environment, a lot of this can be achieved using SSH forwarding.

The below one-liner allows you to extract all Public IPs (PIPs) assigned in your Azure tenant. Please note that this only covers PIPs and not address prefixes and other resources. You can easily modify the command to output other resources though.

# Output to console
Get-AzSubscription | ForEach-Object {Set-AzContext -Subscription $_.Name *>$null; Get-AzPublicIpAddress} | Where-Object {$_.IpAddress -ne 'Not Assigned'} | Select-Object -Property Name,PublicIpAllocationMethod,ipAddress,ProvisioningState,Location,ResourceGroupName,Id

and

# Write to CSV
Get-AzSubscription | ForEach-Object {Set-AzContext -Subscription $_.Name *>$null; Get-AzPublicIpAddress} | Where-Object {$_.IpAddress -ne 'Not Assigned'} | Select-Object -Property Name,PublicIpAllocationMethod,ipAddress,ProvisioningState,Location,ResourceGroupName,Id  | Export-Csv -Path .\pips.txt

This is reasonably straight forward - you might get caught with an issue with the following though

c.LDAPAuthenticator.bind_dn_template

Here is the config

c.LDAPAuthenticator.lookup_dn_search_user = 'service_account'
    c.LDAPAuthenticator.lookup_dn_search_password = 'password'
    c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
    c.LDAPAuthenticator.server_address = 'ldap://server'
    c.LDAPAuthenticator.bind_dn_template = 'domain\{username}'
    c.LDAPAuthenticator.lookup_dn = False
    c.LDAPAuthenticator.user_search_base = 'OU=Corporate Services,OU=Users,OU=Agencies,DC=domain,DC=sub,DC=tld'
    c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
    c.LDAPAuthenticator.allowed_groups = []
    c.Spawner.default_url = '/lab'
    c.Spawner.notebook_dir = '~'
    c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
    c.SystemdSpawner.default_shell = '/usr/bin/zsh'
    c.SystemdSpawner.username_template = 'jupyter-{username}'
    c.SystemdSpawner.unit_name_template = 'jupyter-singleuser'
    c.SystemdSpawner.disable_user_sudo = False
    c.SystemdSpawner.dynamic_users = True
    def start_user(spawner):
        import os, pwd, grp
        username = spawner.user.name
        path = os.path.join('/usr/share/notebooks', username)
        if not os.path.exists(path):
                os.mkdir(path, 0o755)
                uid = pwd.getpwnam(username).pw_uid
                gid = grp.getgrnam(username).gr_gid
                os.chown(path, uid, gid)