Katie Knowles

Reviewed a lab for performing Azure security reviews using KQL to support cloud defenders.

Talk was on the history of service principal (SP) credentials, and how they can lead to privilege escalation and activity obfuscation seen in nation-state attacks. Covered how controls on this attack have improved, and remaining issues (since remediated) that allowed escalation from Application Administrator to any hybrid tenant user (including Global Admin). This talk provided an overview of SPs, app registrations, and the history of backdoor credentials on these identities, along with leads for future SP investigations, and how past research can inform future developments. Delivered at fwd:cloudsec North America.

What comes after Global Admin? Besides impact, attackers with access want to keep it as long as possible! This talk highlighted techniques for privileged persistence within Azure's Entra ID. It covered real-world and novel methods to manipulate MFA, applications, and role assignments to stay sneaky. We took a look at these methods, how to detect them, and steps to defend against them. Delivered at RSA Virtual Cloud Security event.

This talk covered a journey on Administrative Unit (AU) Attack Paths. Starting with scoped role assignments for privilege escalation against users & groups, then creating concealed roles with Global Admin using HiddenMembership AUs. The talk finished with protecting accounts using Restricted Management AUs. Presented at Specter Ops Con (SO-CON).

This podcast episode discussed Azure security, incident response, and the evolving cloud threat landscape. We spoke about common Azure incident response scenarios you need to prepare for, how identity and privilege escalation work in Azure, how Active Directory and Entra ID expose new risks and what security teams need to know about Azure networking and logging.