Showing Posts About

• Matthew Lucas
• 5 Apr 2022

Detecting Attacks against Azure DevOps

This article explores detection opportunities for attacks against Azure DevOps, focusing on telemetry sources and logging limitations. It details how malicious actors can exploit Azure AD applications, steal Personal Access Tokens (PAT), and compromise DevOps pipelines. The research emphasizes the importance of multi-source logging and contextual analysis to detect sophisticated DevOps security incidents.

• Matthew Lucas
• 5 Apr 2022

Performing and Preventing Attacks on Azure Cloud Environments through Azure DevOps

This article explores potential attack paths in Azure DevOps by demonstrating how an unprivileged user can compromise cloud environments. The attack scenario involves phishing a Personal Access Token (PAT) to gain access to Azure DevOps repositories and pipelines. By manipulating pipeline code, an attacker can exfiltrate Service Principal credentials and gain unauthorized access to Azure cloud resources.

• 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #1

This article demonstrates a consent phishing attack in Azure, showing how an attacker can trick a user into granting malicious application permissions to access sensitive resources. The walkthrough covers setting up a lab environment using Terraform, deploying Azure resources, and using the O365 Attack Toolkit to generate a phishing link. Azure AD audit logs are explored to detect the attack and understand the permissions granted during the consent phishing process.

• 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #2

An Azure security lab demonstrated privilege escalation by exploiting insecure Logic App workflow configurations. By leveraging a service principal with Reader permissions, sensitive credentials embedded in clear text were discovered. The attack allowed escalation from Reader to Contributor-level access in the Azure resource group.

• 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #3

This article demonstrates a stealthy method of data collection from an Azure VM by creating a snapshot of a target VM's disk and mounting it to an attack VM. The technique allows accessing sensitive information without directly interacting with the original VM, minimizing detection risks. The lab concludes by highlighting the importance of monitoring Azure activity logs for detecting such lateral movement techniques.

• 3 Nov 2016

A Penetration Tester’s Guide to the Azure Cloud

This presentation provides a comprehensive guide to security assessment of Microsoft Azure Cloud services. It explores key security components, controls, and configurations across Azure deployments. The talk introduces Azurite, a tool for collecting and visualizing Azure infrastructure information.