
Passwordless Persistence and Privilege Escalation in Azure
Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons:With control of a root CA trusted by AzureAD, the adversary can impersonate any user without knowing their ... Read More

Automating Azure Abuse Research — Part 2
Automating Azure Abuse Research — Part 2In Part 1 of this series, we looked at how to port functionality from the Azure GUI to PowerShell. Specifically, we looked at how to replicate the Azure GUI’s ability to run arbitrary commands on an Azure VM.In this second and final part of this series, we are ... Read More

Introducing BloodHound 4.2 — The Azure Refactor
Introducing BloodHound 4.2 — The Azure RefactorThe BloodHound Enterprise team is proud to announce the release of BloodHound 4.2 — The Azure Refactor.The primary authors of BloodHound 4.2 are Dillon Lees (@ddlees), Rohan Vazarkar (@CptJesus), Ulises Rangel (@urangel), Josh Gantt (@joshgantt), and Andy Robbins (@_wald0).Simon Décosse (@simondotsh), Dirk-jan Mollema (@_dirkjan), Jan Kruse (@Jan-Kruse), and Jonas ... Read More

Managed Identity Attack Paths, Part 3: Function Apps
Intro and Prior WorkIn this three part blog series we have explored attack paths that emerge out of Managed Identity assignments in three Azure services: Automation Accounts, Logic Apps, and Function Apps.In Part 1 we looked at attack paths that emerge out of Automation Account Managed Identity Assignments and Run As configurations ... Read More

Managed Identity Attack Paths, Part 2: Logic Apps
Intro and Prior WorkIn this three part blog series we are exploring attack paths that emerge out of Managed Identity assignments in three Azure services: Automation Accounts, Logic Apps, and Function Apps.In part 1 we looked at how attack paths emerge out of Automation Account configurations. In part 2 we are looking ... Read More

Managed Identity Attack Paths, Part 1: Automation Accounts
Intro and Prior WorkIn this three part blog series we will explore attack paths that emerge out of Managed Identity assignments in three Azure services: Automation Accounts, Logic Apps, and Function Apps. But first, what exactly are Managed Identities?I think it’s best to think about Managed Identities in the context of ... Read More

Automating Azure Abuse Research — Part 1
Automating Azure Abuse Research — Part 1IntroBack in February of 2020 Karl Fosaaen published a great blog post about abusing Managed Identity (MI) assignments, specifically those assigned to a Virtual Machine running in Azure. Karl’s blog outlines the scenarios in which privilege escalation may be possible by first executing commands on the VM, ... Read More

Abusing Azure Container Registry Tasks
Intro and Prior WorkMore and more organizations are adopting cloud computing, migrating existing business processes and creating new business processes in Azure, AWS, and GCP. One of the most common processes, and a category that each cloud computing vendor is heavily incentivized to support is DevOps. In this post, I will ... Read More

Announcing Azure in BloodHound Enterprise
In July of 2021, we launched BloodHound Enterprise. Since then, our customers have been using BHE to easily identify and eliminate millions, even billions of attack paths in their on-prem Active Directory environments.Today I’m happy to announce support for Azure in BloodHound Enterprise.BloodHound Enterprise is an Attack Path Management solution ... Read More

Introducing BloodHound 4.1 — The Three Headed Hound
Introducing BloodHound 4.1 — The Three Headed HoundPrior WorkAnalyzing Active Directory attack paths using graph theory is not a new concept. Prior work includes the following:Heat-ray by John Dunagan, Alice Zheng, and Daniel R. Simon (2009)Airbus BTA by Philippe Biondi, Joffrey Czarny, Xavier Mehrenberger, and Nicolas Bareil (2013)Active Directory Control Paths by Emmanuel Gras and ... Read More