The document discusses common initial access techniques used to compromise Azure environments, including:
- Password spraying using tools like TeamFiltration to attempt access with commonly used passwords for valid user accounts discovered through reconnaissance.
- Exploiting insecure blob storage by enumerating unprotected Azure storage blobs using tools like MicroBurst and accessing anonymous blobs.
- Illicit consent grant attacks that trick users into granting malicious applications access to their Azure data through OAuth authorization flows.
Detection and mitigation techniques are also referenced for each attack method. The document provides an overview of these initial access vectors with the goal of highlighting tradecraft used by attackers targeting Azure and Azure Active Directory environments.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
IdP, SAML, OAuth are new acronyms for identity in the cloud. SAML is used for federated authentication between an identity provider (IdP) like Active Directory and a service provider (SP) like Office 365. The IdP authenticates the user and sends a SAML token with claims to the SP. OAuth streamlines authentication for mobile by issuing short-lived access tokens instead of passing full credentials or SAML assertions between each service. It allows authorization without passwords and tokens can be revoked, reducing risks of compromised apps. Office 365 uses Azure Active Directory as an IdP with SAML or OAuth to authenticate users from an on-premises Active Directory via federation or synchronization.
This document provides an overview of attacking Active Directory Federation Services (AD FS). It begins with an introduction to AD FS and how it works, allowing single sign-on for applications outside of Active Directory. It then discusses how to find AD FS servers on a network and potential vulnerabilities in default configurations. The document focuses on attacking identity provider adapters and the signing certificate as ways to impersonate the AD FS server and issue unauthorized tokens. It provides technical details on decrypting the signing certificate stored in the Windows Internal Database using the Distributed Key Manager.
This is the Part 1 of the Azure Active Directory Topic. In this session I introduce the Azure AD and talk about what it is, how it differentiates with on-premises Active Directory Domain Services (AD DS). Further, in this session I provide demos on how to create Azure AD Users from the Azure Portal, associate Custom domains with the Azure AD tenant and the Azure AD PowerShell module. As a bonus, I also talk about and demo how to create additional Azure AD directory within the subscription.
This document provides an introduction to Security Assertion Markup Language (SAML) 2.0, including:
- SAML is an XML-based standard for exchanging authentication and authorization data between parties like an identity provider and service provider.
- It defines roles like identity providers, service providers, and users.
- SAML supports single sign-on, attribute sharing, identity federation, and other use cases through protocols, bindings, and profiles.
- Liferay supports acting as an identity provider or service provider using SAML through an enterprise edition plugin, allowing configuration as an IdP or SP through properties and metadata files.
- The presentation demonstrates SAML single sign-on flows and configurations using examples
"Ever wondered how can you find out which user made a particular API call, when the call was made, and which resources were acted upon? In this session, you will learn how to turn on AWS CloudTrail for hundreds of AWS accounts in all AWS regions to ensure you have full visibility into API activity in all your AWS accounts. We will demonstrate how to use CloudTrail Lookup in the AWS Management Console to troubleshoot operational and security issues and how to use the AWS CLI or SDKs to integrate your applications with CloudTrail.
We will also demonstrate how you can monitor for specific API activity by using Amazon CloudWatch and receive email notifications, when such activity occurs. Using CloudTrail Lookup and CloudWatch Alarms, you can take immediate action to quickly remediate any security or operational issues. We will also share best practices and ready-to-use scripts, and dive deep into new features that help you configure additional layers of security for CloudTrail log files."
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It authenticates over 1 trillion times since release and manages identity data for over 5 million organizations, including 86% of Fortune 500 companies using Microsoft Cloud services. Azure AD provides single sign-on, multi-factor authentication, and application access management across devices and platforms.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
IdP, SAML, OAuth are new acronyms for identity in the cloud. SAML is used for federated authentication between an identity provider (IdP) like Active Directory and a service provider (SP) like Office 365. The IdP authenticates the user and sends a SAML token with claims to the SP. OAuth streamlines authentication for mobile by issuing short-lived access tokens instead of passing full credentials or SAML assertions between each service. It allows authorization without passwords and tokens can be revoked, reducing risks of compromised apps. Office 365 uses Azure Active Directory as an IdP with SAML or OAuth to authenticate users from an on-premises Active Directory via federation or synchronization.
This document provides an overview of attacking Active Directory Federation Services (AD FS). It begins with an introduction to AD FS and how it works, allowing single sign-on for applications outside of Active Directory. It then discusses how to find AD FS servers on a network and potential vulnerabilities in default configurations. The document focuses on attacking identity provider adapters and the signing certificate as ways to impersonate the AD FS server and issue unauthorized tokens. It provides technical details on decrypting the signing certificate stored in the Windows Internal Database using the Distributed Key Manager.
This is the Part 1 of the Azure Active Directory Topic. In this session I introduce the Azure AD and talk about what it is, how it differentiates with on-premises Active Directory Domain Services (AD DS). Further, in this session I provide demos on how to create Azure AD Users from the Azure Portal, associate Custom domains with the Azure AD tenant and the Azure AD PowerShell module. As a bonus, I also talk about and demo how to create additional Azure AD directory within the subscription.
This document provides an introduction to Security Assertion Markup Language (SAML) 2.0, including:
- SAML is an XML-based standard for exchanging authentication and authorization data between parties like an identity provider and service provider.
- It defines roles like identity providers, service providers, and users.
- SAML supports single sign-on, attribute sharing, identity federation, and other use cases through protocols, bindings, and profiles.
- Liferay supports acting as an identity provider or service provider using SAML through an enterprise edition plugin, allowing configuration as an IdP or SP through properties and metadata files.
- The presentation demonstrates SAML single sign-on flows and configurations using examples
"Ever wondered how can you find out which user made a particular API call, when the call was made, and which resources were acted upon? In this session, you will learn how to turn on AWS CloudTrail for hundreds of AWS accounts in all AWS regions to ensure you have full visibility into API activity in all your AWS accounts. We will demonstrate how to use CloudTrail Lookup in the AWS Management Console to troubleshoot operational and security issues and how to use the AWS CLI or SDKs to integrate your applications with CloudTrail.
We will also demonstrate how you can monitor for specific API activity by using Amazon CloudWatch and receive email notifications, when such activity occurs. Using CloudTrail Lookup and CloudWatch Alarms, you can take immediate action to quickly remediate any security or operational issues. We will also share best practices and ready-to-use scripts, and dive deep into new features that help you configure additional layers of security for CloudTrail log files."
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It authenticates over 1 trillion times since release and manages identity data for over 5 million organizations, including 86% of Fortune 500 companies using Microsoft Cloud services. Azure AD provides single sign-on, multi-factor authentication, and application access management across devices and platforms.
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
This document outlines 20 common security vulnerabilities and misconfigurations in Microsoft Azure. It discusses issues such as storage accounts being publicly accessible, lack of multi-factor authentication, insecure guest user settings, and features like Azure Security Center and Network Watcher being disabled by default. The document is intended to educate users on important security best practices for securing resources and configurations in Azure.
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
This document discusses bypassing alerts from Microsoft Defender for Identity (MDI). It begins with an introduction to MDI and the types of alerts it generates. It then explores techniques for bypassing alerts during different phases of an attack like reconnaissance, credential compromise, and lateral movement. These include using alternative tools, limiting interactions with domain controllers, and complying with Kerberos policies. The document also notes techniques like silver tickets that are not detected by MDI. It concludes by acknowledging limitations of only testing alerts and not coupled defenses.
BSides Portland - Attacking Azure Environments with PowerShellKarl Fosaaen
For a multitude of reasons, many organizations are moving their operations to the cloud. Along with this, many organizations are introducing old vulnerabilities in new ways. As one of the top cloud providers, Microsoft Azure has had significant adoption and continues to grow in market share. As part of this increase in adoption, there has also been an increase in demand for security testing of Azure environments. Given the blended nature of hosted services, PAAS, and virtual infrastructure, it can be difficult to get a handle on how to properly secure these environments. Reviewing Azure environments can also be time consuming given the lack of automated tools for dumping configuration information.
MicroBurst is a set of PowerShell tools that helps automate the processes of dumping and reviewing Microsoft Azure configurations. This talk will go over the ways that pen testers and defenders can use MicroBurst to dump out the configuration information for an Azure environment, and identify common configuration issues. Security testers will benefit from the speed of dumping environment credentials for pivoting, listing out publicly available services and files, and enumerating additional targets for phishing and password guessing attacks. As an added bonus, defenders can also use these tools to audit their environment for weak spots.
Vault is a tool for securely accessing secrets like API keys and passwords. It allows for [1] generating short-term credentials to access services like AWS, [2] easy revocation of credentials, and [3] auditing of secret access. Vault uses a seal/unseal process where secrets are encrypted at rest requiring threshold of keys to unseal. The document discusses best practices like using tokens for authentication, safeguarding storage backends, and setting up high availability.
The presenter discusses "passkeys", which are multi-device FIDO credentials that can be backed up and replicated across devices. Passkeys are designed to help scale adoption of passwordless FIDO authentication in the consumer space by providing a familiar password manager-like user experience. The presenter demos how passkeys could enable cross-device and cross-ecosystem FIDO authentication on mobile and other devices. Passkeys are also presented as a potential drop-in replacement for passwords with enhanced security characteristics, particularly for high-value enterprise and consumer use cases such as privileged access management.
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources.
This document summarizes Microsoft Azure Active Directory (Azure AD) and how it compares to on-premises Active Directory Domain Services (AD DS). Azure AD provides identity and access management in the cloud, while AD DS is installed on-premises. Key differences include Azure AD being multi-tenant, lacking group policy support, and using REST APIs instead of LDAP. The document also outlines integrating Azure AD and AD DS through synchronization and federation for single sign-on capabilities across cloud and on-premises applications and services.
Single Sign-On (SSO) allows a user to access multiple applications and systems with a single set of login credentials. The document discusses various SSO standards and implementations including Kerberos, LDAP, CAS, SAML, and PKI. It notes benefits of SSO like reduced passwords to remember but also criticisms like the risk that stealing one set of credentials grants access to all systems.
Windows Azure Active Directory presentation will show you how to set up your Azure AD account and how to connect existing ASP.NET MVC Web Application with Azure Active Directory to provide Single-Sign-On
Let's Encrypt is a free, automated, and open certificate authority that aims to reduce barriers to secure internet communication. It allows users to generate SSL/TLS certificates at no cost by automating the key generation, certificate signing request, and domain verification processes. Certificates issued by Let's Encrypt are generally supported by modern browsers and operating systems. The service uses the ACME protocol for domain verification and has rate limits of 100 domains per certificate and 500 registrations per IP every 3 hours to prevent abuse.
How to (remote) control Office 365 with Azure (SharePoint Konferenz ppEDV Erd...atwork
How to (remote) control Office 365 with Azure
by Martina Grom, MVP Office 365, und
Toni Pohl, MVP Windows Platform Development
SharePoint Konferenz ppEDV in Erding, March 2015
atwork information technology, atwork.at
The document provides an overview of basic web security issues and recommendations to address them. It discusses making regular backups and testing restores, using strong and unique passwords that are changed frequently, password protecting directories with .htaccess, keeping software updated, restricting access to sensitive files and data, preventing cross-site scripting attacks, filtering user-submitted data, and using prepared statements to prevent SQL injection. The goal is to increase awareness of common vulnerabilities and how to avoid or lessen exposure to exploits.
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
This document outlines 20 common security vulnerabilities and misconfigurations in Microsoft Azure. It discusses issues such as storage accounts being publicly accessible, lack of multi-factor authentication, insecure guest user settings, and features like Azure Security Center and Network Watcher being disabled by default. The document is intended to educate users on important security best practices for securing resources and configurations in Azure.
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
This document discusses bypassing alerts from Microsoft Defender for Identity (MDI). It begins with an introduction to MDI and the types of alerts it generates. It then explores techniques for bypassing alerts during different phases of an attack like reconnaissance, credential compromise, and lateral movement. These include using alternative tools, limiting interactions with domain controllers, and complying with Kerberos policies. The document also notes techniques like silver tickets that are not detected by MDI. It concludes by acknowledging limitations of only testing alerts and not coupled defenses.
BSides Portland - Attacking Azure Environments with PowerShellKarl Fosaaen
For a multitude of reasons, many organizations are moving their operations to the cloud. Along with this, many organizations are introducing old vulnerabilities in new ways. As one of the top cloud providers, Microsoft Azure has had significant adoption and continues to grow in market share. As part of this increase in adoption, there has also been an increase in demand for security testing of Azure environments. Given the blended nature of hosted services, PAAS, and virtual infrastructure, it can be difficult to get a handle on how to properly secure these environments. Reviewing Azure environments can also be time consuming given the lack of automated tools for dumping configuration information.
MicroBurst is a set of PowerShell tools that helps automate the processes of dumping and reviewing Microsoft Azure configurations. This talk will go over the ways that pen testers and defenders can use MicroBurst to dump out the configuration information for an Azure environment, and identify common configuration issues. Security testers will benefit from the speed of dumping environment credentials for pivoting, listing out publicly available services and files, and enumerating additional targets for phishing and password guessing attacks. As an added bonus, defenders can also use these tools to audit their environment for weak spots.
Vault is a tool for securely accessing secrets like API keys and passwords. It allows for [1] generating short-term credentials to access services like AWS, [2] easy revocation of credentials, and [3] auditing of secret access. Vault uses a seal/unseal process where secrets are encrypted at rest requiring threshold of keys to unseal. The document discusses best practices like using tokens for authentication, safeguarding storage backends, and setting up high availability.
The presenter discusses "passkeys", which are multi-device FIDO credentials that can be backed up and replicated across devices. Passkeys are designed to help scale adoption of passwordless FIDO authentication in the consumer space by providing a familiar password manager-like user experience. The presenter demos how passkeys could enable cross-device and cross-ecosystem FIDO authentication on mobile and other devices. Passkeys are also presented as a potential drop-in replacement for passwords with enhanced security characteristics, particularly for high-value enterprise and consumer use cases such as privileged access management.
Sensitive customer data needs to be protected throughout AWS. This session discusses the options available for encrypting data at rest in AWS. It focuses on several scenarios, including transparent AWS management of encryption keys on behalf of the customer to provide automated server-side encryption and customer key management using partner solutions or AWS CloudHSM. This session is helpful for anyone interested in protecting data stored in AWS.
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources.
This document summarizes Microsoft Azure Active Directory (Azure AD) and how it compares to on-premises Active Directory Domain Services (AD DS). Azure AD provides identity and access management in the cloud, while AD DS is installed on-premises. Key differences include Azure AD being multi-tenant, lacking group policy support, and using REST APIs instead of LDAP. The document also outlines integrating Azure AD and AD DS through synchronization and federation for single sign-on capabilities across cloud and on-premises applications and services.
Single Sign-On (SSO) allows a user to access multiple applications and systems with a single set of login credentials. The document discusses various SSO standards and implementations including Kerberos, LDAP, CAS, SAML, and PKI. It notes benefits of SSO like reduced passwords to remember but also criticisms like the risk that stealing one set of credentials grants access to all systems.
Windows Azure Active Directory presentation will show you how to set up your Azure AD account and how to connect existing ASP.NET MVC Web Application with Azure Active Directory to provide Single-Sign-On
Let's Encrypt is a free, automated, and open certificate authority that aims to reduce barriers to secure internet communication. It allows users to generate SSL/TLS certificates at no cost by automating the key generation, certificate signing request, and domain verification processes. Certificates issued by Let's Encrypt are generally supported by modern browsers and operating systems. The service uses the ACME protocol for domain verification and has rate limits of 100 domains per certificate and 500 registrations per IP every 3 hours to prevent abuse.
How to (remote) control Office 365 with Azure (SharePoint Konferenz ppEDV Erd...atwork
How to (remote) control Office 365 with Azure
by Martina Grom, MVP Office 365, und
Toni Pohl, MVP Windows Platform Development
SharePoint Konferenz ppEDV in Erding, March 2015
atwork information technology, atwork.at
The document provides an overview of basic web security issues and recommendations to address them. It discusses making regular backups and testing restores, using strong and unique passwords that are changed frequently, password protecting directories with .htaccess, keeping software updated, restricting access to sensitive files and data, preventing cross-site scripting attacks, filtering user-submitted data, and using prepared statements to prevent SQL injection. The goal is to increase awareness of common vulnerabilities and how to avoid or lessen exposure to exploits.
This document provides an overview of basic web security best practices. It recommends making rolling backups and testing restores, using strong and unique passwords that are changed frequently, password protecting directories with .htaccess, keeping software updated, filtering user inputs to prevent XSS and SQL injection attacks, and avoiding displaying sensitive data in publicly accessible areas. The document also warns about cookies potentially containing malicious code and the risks of iframes.
Advanced phishing for red team assessmentsJEBARAJM
The presentation was about how Office365 can be attacked, and how GSUITE features can be leveraged for phishing and RED Team assessments.
Linkedin: https://www.linkedin.com/in/jebaraj-m-551a091aa/
The document provides an overview of securing identity infrastructure in Azure. It discusses five key steps:
1. Strengthening credentials by implementing strong authentication like multi-factor authentication and password policies.
2. Reducing the attack surface by blocking legacy authentication protocols and restricting access points.
3. Automating threat response with tools like Azure AD Identity Protection for automated risk detection and remediation.
4. Utilizing cloud intelligence by monitoring Azure AD logs, events, and health to detect anomalies and threats.
5. Enabling self-service options for users like self-service password reset and access reviews to balance security and productivity.
The document provides examples and recommendations for each step and references
The document discusses strategies for building scalable applications on Windows Azure Cloud Services. Key points include:
- Designing applications using "scale units" which are groups of roles and supporting services that can be easily duplicated and deployed to scale out an application.
- Taking advantage of Azure services like SQL Database, storage, and caching to build scalable applications.
- Implementing patterns like caching, retries, and decoupled communications to provide performance and fault tolerance in large-scale systems.
Azure Networking, Azure Storage, Enterprise Azure Active Directory, Daemon or Server application authentication workflow, Worker processes, Daemon, Daemon application to Web API, Azure Active Directory in old azure portal, ASM, Azure active directory and Mutl-tenant applications, Sharding, Federation, Shared singe, RBAC, Differences between AAD and AD DS, Azure AD Subscription models, Azure Domain Names, Manage Users, Groups,Co-Admin Role, Default Azure Active Directory, Adding access to another azure subscription. Contributor, Owner , Roles in Azure Subscriptions, Roles, MFA, Multi-Factor Authentication, How does MFA works, Scenarios for Azure MFA, Setting up MFA in Azure AD, Setting MFA, Azure Authenticator, Hybrid AD solutions, AD DS, Federated Trust, Domain Controller, AD, AAD Connecter, AD FS, AAD, Active Directory Password synchronization, Benefits of Active Directory, Active Directory Replication, vulnerabilities with multiple Domain Controller, Azure AD features, Synchronization with AD Connect, Write-back policies, Azure AD Health COnnect, Installing Azure AD COnnect Health,Integrating Azure AD and SaaS Applications, Benefits of using SaaS Solutions with your products, Benefits of SaaS Solutions, Azure Marketplace, DropBox Integrations with AAD, New Relic Integrations, New Relic, Dropbox, Azure AD Enterprise Application, VSTS integration for Automated Builds, Federation Overview, Claims, Single Sign On, Federated Trusts, Claim based authentications, Federated trusts, Claims Processing, Web Application Proxy, ADFS Proxy, ADFS 2.0 Proxy, How does ADFS proxy works for internal users, How does ADFS proxy works for internal users,Azure AD B2C Directory, B2C applications, Business 2 Customers application, 3rd Party Authentication, Bearer Token, OAuth, 3rd Party Identity Provider, OAuth server, Azure AD B2C Authentication & Authorization, Implementing Azure AD B2C Directory, Setting up Single Sign On with Facebook, Google, Microsoft. Linkedin, SignUP Policies, SignIN Policies, Email SignUp, SignUpSignIN PolicyID, Configuring Application with Azure Application ID,Modern Applications, Requirements for Modern Apps, API, Logic Applications, Mobile App, Web App, Function App, Go To Market, Microsoft Application Platform, App Service Plan, App Service Environment - Private Infrastructure, Why use App Service, App service Features & Capabilities, Azure App Service, Virtual Machine, Service Fabric & Cloud Services Comparison, Creating a Mobile App, Swagger UI, API Apps, API management, API APPS & API Management, Implementing API APP via Visual Studio,
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
This is an updated version of this talk given at DrupalCamp Atlanta (DCA)
This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes.
The session will cover the following main topics with tips on how to protected against each of these.
An overview of security threats
Server Level Attacks
Code Level Attacks
User Access Attacks
Internal Attacks
Some suggestions on developing a security plan
People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.
Five Things You Didn't Know About Firebase AuthPeter Friese
There’s no doubt about it: many apps need some way of authenticating the user, but most developers don’t get overly excited by the prospect of implementing a login/sign-up screen.
In this talk, you will learn what Firebase Auth is, why you should use it, and - if this didn’t get you excited yet - 5 things you probably didn’t know about Firebase Auth before.
In particular, we’re going to look at
- How Firebase Auth works, and why you should use it
- How to let users sign in without even having to come up with a password
- What Anonymous Auth is all about and why you should care
- How to make signing in on iOS more magical
A Drupalcon Chicago presentation for coders/developers about web application security in the Drupal system. Covering Cross Site Scripting and Cross Site Request Forgeries.
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a...ITProceed
Are you ready to discover one of the most hidden and underestimated Windows 2012 R2 features called "Work Folders"?
Work Folders allows you to leverage your investment in File Servers while simultaneously providing end users with anywhere access to their data from their work PC as well as their personal devices. In this session, you will learn about the challenges to securely implement and manage "traditional" home folders to the BYOD (bring your own device) world. Learn how to deploy and manage Work Folders servers and clients, gain an understanding of how Work Folders operates end-to-end and integrates into your existing infrastructure, and how Work Folders takes advantage of capabilities like multi-factor authentication, Workplace Join and Selective Wipe to ensure that corporate data remains secure wherever it goes.
What small businesses need to know about Azure AD premiumMiguel Tena
In this session I reflect on what Azure AD brings to the table for small businesses an do an introduction of key services in each tier of the identity platform to improve your security posture, improve onboarding/offboarding and enhance productivity through governance.
MS Azure White Paper & Infographic
Azure is an ever-expanding set of cloud services to help organizations meet business challenges. It’s the freedom to build, manage, and deploy applications on a massive, global network using your favorite tools and frameworks.
This document provides a step-by-step guide to configure identity federation between Moodle, Active Directory Federation Services 2.0 (AD FS 2.0), and Windows Azure Active Directory. This setup enables single sign-on access to Moodle and Office 365 using federated identities. It also supports user autoprovisioning in Moodle and automatic course enrollment based on Active Directory group membership. The guide outlines prerequisites, requirements, and configuration instructions for AD FS 2.0, Moodle, SimpleSAMLPHP, and relevant Moodle plugins to enable the federated identity and access management capabilities.
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
- Your company's Azure subscription includes two stopped virtual machines, VirMac1 and VirMac2.
- You have been tasked with starting the virtual machines using Azure Policy.
- To do this, you need to create a policy that includes the "DeployIfNotExists" effect to start the virtual machines if their status is stopped.
Working with Security and Compliance in Microsoft Teams - Microsoft 365 Virtu...Chirag Patel
The document provides an agenda and details for a Microsoft 365 virtual marathon session on working with security and compliance in Microsoft Teams. The session will cover Teams dependencies, policy controls, data classification tools like sensitivity labels, and features for securing guest access, meetings, files and communications. It also lists many Microsoft compliance and security resources for Teams.
Similar to Demystifying Initial Access in Azure (20)
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
2. Security enthusiast.
Offensive security and other things.
Hiking, gaming, watching CSGO,
befriending random animals.
Gabriel Mathenge
Not even my cat.
Freeloader.
Eating my food.
Meowing loudly for no reason.
Scratching my furniture.
Pinto
WHO
3. Gabriel Mathenge | aka V1V1
Blog: https://thevivi.net
Twitter: https://twitter.com/_theVIVI
GitHub: https://github.com/V1V1
Discord: V1V1#0804
Email: gabriel<at>thevivi.net
WHO
4. Highlighting some common techniques used to get an initial foothold.
Not about setting everything up, mostly high-level explanations and demos of the tradecraft.
Resources for additional reference and with detailed breakdowns of the techniques.
Detection and mitigation resources.
Free and paid content to level up your Azure skills.
How attackers gain access to Azure/Azure Active Directory envrionments
WHAT
5. Azure 101
Our scenario
Discovery & Recon
Attacks
Password Spraying
Insecure Blob Storage
Illicit Consent Grant
Learn Azure security
References
a.
b.
c.
AGENDA
7. Microsoft's public cloud computing platform.
Azure provides access to various computing resources
over the internet.
These services are numerous and come in all sorts of
flavors; virtual machines, storage and backup,
application hosting and much more.
Like most popular cloud services, Azure uses a pay-as-
you-go subscription model (only pay for what you use).
https://azure.microsoft.com/en-us/resources/cloud-computing-
dictionary/what-is-azure/
AZURE 101
9. Azure Active Directory (Azure AD) is a cloud-based
identity and access management (IAM) service.
Azure AD is the backbone to providing identity and access
based privileges to services in Azure.
Who can access what? What types of rights and resources
should specific groups be able to interact with? How do
we configure single sign-on (SSO)?
All these questions can be answered using Azure AD.
https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/active-directory-whatis
AZURE ACTIVE DIRECTORY
10. Azure AD is a service that's offered as part of the Azure cloud platform.
Azure AD is NOT Azure.
AZURE AD VS AZURE
11. It's tempting to think of Azure Active Directory and regular
on-prem Active Directory as the same thing, but they're
really not.
Their main similarity is that they're both identity and
access management solutions provided by Microsoft.
Users and groups, privilege assignments, access
permissions - these are all part of Azure AD & AD, but
they're still not completely identical.
They can be configured to work together e.g. for single
sign-on scenarios, but it's not mandatory.
https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/active-directory-compare-azure-ad-to-ad
AZURE AD VS ACTIVE DIRECTORY
12. An Azure AD tenant is a reserved Azure AD service
instance that an organization receives and owns once it
signs up for a Microsoft cloud service such as Azure.
Each tenant represents an organization, and is distinct
and separate from other Azure AD tenants.
Azure tenants are globally unique. On signup to Azure, you
will be provided with a domain name that ends with
‘onmicrosoft.com’.
For example - bananastore.onmicrosoft.com.
https://docs.microsoft.com/en-us/power-
bi/developer/embedded/create-an-azure-active-directory-tenant
AZURE TENANT
14. You work for Butcher International.
You've been contracted to gain access to Vought
International. They're a massive organization that have a
bunch of their resources on the cloud.
All we know about Vought International is the
organization's name and their domain name.
Rules of engagement - anything goes; targeting
infrastructure, applications, users and so on.
NOTE: The focus of this presentation is exploring
common initial access vectors. I won't be carrying out
any post-exploitation activities.
BUTCHER INTERNATIONAL
17. The first thing we need to figure out is if the target
organization is using Azure/Azure AD.
In our scenario, it's obvious because the organization
we're targeting has the domain name:
voughtint.onmicrosoft.com.
But in real life, this will probably have been changed to
something more brand friendly like:
voughtinternational.com.
Let's just pretend it's not obvious for the sake of demos.
DOMAIN ENUMERATION
18. AADInternals is a PowerShell module for administering Azure AD and Office 365.
https://github.com/Gerenios/AADInternals
Developed by DrAzureAD.
https://twitter.com/DrAzureAD
DOMAIN ENUMERATION - AADInternals
20. # Import the module
Import-Module .ToolsAADInternalsAADInternals.psd1
# Get basic tenant information
Get-AADIntLoginInformation -UserName user@voughtint.onmicrosoft.com
# Get tenant ID
Get-AADIntTenantID -Domain voughtint.onmicrosoft.com
# Get as much external info as possible
Invoke-AADIntReconAsOutsider -DomainName voughtint.onmicrosoft.com
AADInternals Commands
21. o365spray is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365).
https://github.com/0xZDH/o365spray
Developed by 0xZDH.
https://github.com/0xZDH
DOMAIN ENUMERATION - o365spray
23. Visit the URL below (change the domain name with the domain name you're enumerating).
https://login.microsoftonline.com/getuserrealm.srf?login=user@voughtint.onmicrosoft.com&xml=1
If the <NameSpaceType> is Managed, then you can tell the organization is using Azure AD.
Manual domain enumeration
24. A lot of attacks against Azure, AzureAD, Office 365 etc. are
user focused. So it really helps to gather as many emails
& usernames as we can from our target organization.
There are plenty of sources we can use to gather
user/email information:
Social media (LinkedIn).
Email enumeration tools.
Organization's website.
USER ENUMERATION
25. Everyone's least favorite social media site.
https://www.linkedin.com
Use this Google dork to find your target organization's LinkedIn page.
site:"linkedin.com" "[ORGANIZATION-NAME]"
USER ENUMERATION - LinkedIn
27. USER ENUMERATION - LinkedIn
BridgeKeeper is a tool that can scrape employee names from search engine LinkedIn
profiles and convert employee names to a specified username format.
https://github.com/0xZDH/BridgeKeeper
28. There are tons of email enumeration tools available, both free and paid.
I can't list them all, but some personal favorites are:
Hunter.io - https://hunter.io/
DeHashed - https://www.dehashed.com/
theHarvester - https://github.com/laramies/theHarvester
USER ENUMERATION - Email discovery tools
29. You always want to be aware of an organization's email formats when doing your recon.
You might end up in a situation where you have a lot of employee names and need to
convert them into potential email targets for your attacks later on.
Some common formats are:
{first}.{last} -> jane.doe@voughtinternational.com
{f}{last} -> jdoe@voughtinternational.com
{f}{m}.{last} -> jm.doe@voughtinternational.com
USER ENUMERATION - Email format
30. Most of the time, you won't find a lot of emails from an organization's website, but it's still worth
checking out. You can often find a few names from senior management that you can then convert into
emails - assuming you know the organization's email format.
USER ENUMERATION - Organization's website
31. Back to our scenario. Let's say we've collected a number of
emails during our recon phase.
We can't just start using them in our attacks without first
verifying which of the emails are actually valid.
We need to enumerate the entire list of gathered usernames
so we can generate a list of only valid emails to target in our
attacks later on.
NOTE: Most automated email discovery tools won't do email
validation for you.
VALIDATING EMAILS
32. TeamFiltration is a cross-platform framework
for enumerating, spraying, exfiltrating, and
backdooring O365 AAD accounts.
https://github.com/Gerenios/AADInternals
Developed by Flangvik.
https://twitter.com/Flangvik
VALIDATING EMAILS - TeamFiltration
34. # Enumerate a list of user provided emails and discover the valid emails. Emails will be validated using the Microsoft Teams API.
TeamFiltration_Win.exe --enum --validate-teams --usernames .vought-user-emails.txt --outpath .TF-Demo --config
.TeamFiltrationConfig_Example.json
# Connect to the database.
.TeamFiltration_Win.exe --database --outpath .TF-Demo --config .TeamFiltrationConfig_Example.json
# Show collected emails.
show emails
TeamFiltration Commands
35. Omnispray is a modular enumeration and password spraying framework
https://github.com/0xZDH/o365spray
Developed by 0xZDH.
https://github.com/0xZDH
VALIDATING EMAILS - Omnispray
36. # Enumerate a list of user provided emails and discover the valid emails via the Office 365 module.
python3 omnispray.py --type enum -uf ../Vought-Files/vought-user-emails.txt --module o365_enum_office --outdir vought-results
Omnispray
37. We finally have a list of valid emails to target in Vought International.
Let's get to the attacks.
VALID EMAILS
40. Password spraying is an attack that attempts to gain
access to a large number of accounts with a commonly
used password.
It’s basically the opposite of traditional bruteforcing which
attempts to access a single or small number of accounts
using numerous passwords.
Password spraying tends to have high rates of success
and is something you should make a habit of doing
whenever you get the chance.
The more emails you have, the higher your chances of
success.
PASSWORD SPRAYING
42. PASSWORD SPRAYING
There is no silver bullet for password
selection during password spraying, but
here are a few suggestions you can
consider:
Company name + year (e.g.
Disney2022).
City/country + year (e.g. Kenya2022,
Nairobi2022).
Season + year (e.g. Spring2022 – this
depends on where you live).
44. TeamFiltration commands
# Spray the emails already in the database with a file containing common passwords.
.TeamFiltration_Win.exe --spray --passwords common.txt --outpath .TF-demo --config .TeamFiltrationConfig_Example.json
# Exfil info from Azure AAD (after finding a valid login).
.TeamFiltration_Win.exe --exfil --aad --outpath .TF-demo --config .TeamFiltrationConfig_Example.json
# Connect to the database.
.TeamFiltration_Win.exe --database --outpath .TF-demo --config .TeamFiltrationConfig_Example.json
• Show collected emails and credentials.
show emails
show creds
46. You'll find a lot of tools or scripts that can enumerate or spray
Office365/Azure/OWA etc.
So how do you choose the right one to use? Here are some of the things I
look for in spraying tools:
Support for spraying through proxies & e.g. fireprox (useful for
bypassing Azure Smart Lockout)
https://github.com/ustayready/fireprox
https://docs.microsoft.com/en-us/azure/active-
directory/authentication/howto-password-smart-lockout
Capability to spray/enumerate against multiple Microsoft services.
Easy customization - configure lockouts, sleep timers, delay timers etc.
Some of my favorite tools:
TeamFiltration - https://github.com/Flangvik/TeamFiltration
MSOLSpray - https://github.com/dafthack/MSOLSpray
Omnispray - https://github.com/0xZDH/Omnispray
WHICH SPRAYING TOOL?
49. An Azure storage account contains all of your Azure
Storage data objects, including blobs, file shares, queues,
tables, and disks.
The service allows you to store objects on the cloud.
The storage account provides a unique namespace for
your Azure Storage data that's accessible from anywhere
in the world over HTTP or HTTPS.
Storage accounts offer different types of storage services;
Blob, Queue, File and Table
https://docs.microsoft.com/en-us/azure/storage/common/storage-
account-overview
AZURE STORAGE ACCOUNTS
50. AZURE BLOB SERVICE
Azure blob storage is a service that is optimized for storing large amounts of unstructured data e.g. images, videos,
documents, log files etc.
53. MicroBurst is a collection of scripts for assessing
Microsoft Azure security.
https://github.com/NetSPI/MicroBurst
Developed by the awesome hackers over at NetSPI
https://www.netspi.com/
It has a module with the capability to enumerate storage
storage blobs associated with a target tenant
https://github.com/NetSPI/MicroBurst/wiki/Miscellaneous-
Functions#invoke-enumerateazureblobsps1
ENUMERATING STORAGE BLOBS - MicroBurst
54. ENUMERATING STORAGE BLOBS - MicroBurst
# Import the module and identify any storage blobs associated with a target. It will also attempt to enumerate any containers in the blob.
Import-Module .ToolsMicroBurstMiscInvoke-EnumerateAzureBlobs.ps1
Invoke-EnumerateAzureBlobs -Base vought
55. ENUMERATING STORAGE BLOBS - MicroBurst
This module takes a base word (e.g vought) and prefixes/suffixes
it with a list of words to identify any storage blobs associated with
a target.
The presence of the base word in a blob name does not indicate
that it belongs to a given entity.
Ensure that you are only testing resources that you have
permission to test.
BE CAREFUL!
61. In an illicit consent grant, an attacker tricks an end user
into granting an application under the attacker's control
consent to access their data.
"Data" typically means the target's user information,
email, documents etc.
It's a phishing attack that abuses OAuth2’s authorization
flow. This means that the attacker can gain access to the
target's data without needing their login information
(username, password, MFA token).
https://positivethinking.tech/insights/what-is-an-illicit-consent-grant-
attack-in-office-365/
https://www.varonis.com/blog/what-is-oauth
ILLICIT CONSENT GRANT
63. A web application framework for
launching and managing OAuth
abuse campaigns.
https://github.com/mandiant/PwnAuth
https://www.mandiant.com/resources/bl
og/shining-a-light-on-oauth-abuse-with-
pwnauth
Developed by doughsec.
https://twitter.com/doughsec
PwnAuth
72. JUST SCRATCHING THE SURFACE
The attacks highlighted in this presentation are just a few
of the possible ways to gain a foothold in Azure/O365
environments. Some more worth mentioning are:
Abusing Azure App Service.
https://0xpwn.wordpress.com/2022/03/08/create-an-azure-
vulnerable-lab-part-2-environment-variables/
https://0xpwn.wordpress.com/2022/03/13/create-an-azure-
vulnerable-lab-part-4-managed-identities/
Azure device code phish.
https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
Credential phishing.
https://sneezy-ladybug.github.io/posts/passing-the-phish/
https://sneezy-ladybug.github.io/posts/passing-the-phish-II/
74. Introduction to Azure Penetration Testing (FREE!)
https://azure.enterprisesecurity.io/
Introduction to Azure Penetration Testing (Azure 101)
https://www.udemy.com/course/microsoft-azure-beginners-guide/
Attacking and Defending Azure AD Cloud (CARTP certification)
https://bootcamps.pentesteracademy.com/courses
Azure Application Security: Beginner's Edition
https://bootcamps.pentesteracademy.com/courses
Breaching Azure
https://cloudbreach.io/labs/
COURSES/LABS
75. Getting Started in Pentesting The Cloud–Azure | Beau Bullock
https://www.youtube.com/watch?v=u_3cV0pzptY
Introduction To Azure Penetration Testing | Nikhil Mittal
https://www.youtube.com/watch?v=5dVSHuCEG2w
Attacking and Defending the Microsoft Cloud (Office 365 &
Azure AD) | Sean Metcalf and Mark Morowczynski
https://www.youtube.com/watch?v=SG2ibjuzRJM
It’s Raining Shells - How To Find New Attack Primitives In Azure
| Andy Robbins
https://www.youtube.com/watch?v=a09_5SCPBZ0
YOUTUBE
76. Penetration Testing Azure for Ethical Hackers
https://www.amazon.com/Penetration-Testing-Azure-Ethical-
Hackers/dp/1839212934
Pentesting Azure Applications
https://nostarch.com/azure
I really couldn't find more highly recommended/reviewed
books ¯_(ツ)_/¯
BOOKS