Christian Bortone

@ppetryszen Unfortunately, the only way to verify these roles is to review them one by one. The role names are misleading, and the documentation is not reliable here because Microsoft does not provide clear information for this case. There are likely many others like this...

Just published new research on Azure File Sync. I found that the built-in Azure File Sync Administrator role can grant more power than expected, opening a path to privilege escalation and sensitive file access. xybytes.com/azure/Abusing-…

Weak ACLs in AD and misconfigured dynamic groups in Azure AD are not new vulnerabilities. But when they intersect in a hybrid environment, they create a powerful, and often overlooked, attack path. You can read here my article. 🫡 lnkd.in/d9AMzdj7

@G0ldenGunSec Excellent article. Just a quick note . The GPO abuse in Azure Arc (DPAPI + decoded secrets) was originally discovered by me about two years ago. I’d appreciate it if you could link to the original article for that specific section. xybytes.com/azure/Abusing-…

Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…

I was at @BSidesZagreb last week. I gave a talk on Privilege Escalation in Azure Machine Learning. If you're interested, check out this article on the topic. Plus, there are two scripts in MicroBuster that you can use for enumeration. 🙂 xybytes.com/azure/Privileg…

In my latest research article, I take a close look at the weaknesses within Azure Application Proxy, demonstrating how impersonating the connector can enable traffic hijacking from outside the infrastructure. xybytes.com/azure/Azure-Ap…

During my exploration of Azure Arc, I noticed that the Azure Arc Management Tool can be used to coerce NTLM authentication. The interesting part is that all the other options require local administrator permissions—except for this one. 🤔 lnkd.in/degfdcQF

@fabian_bader @kfosaaen also if you want there my presentation here. youtu.be/KtRYn5GA4iU?si…

@kfosaaen I have to double check but to run a command you would need Microsoft.HybridCompute/machines/runCommands/write which is not available to this role.

Assuming I'm reading this one correctly, this one is a pretty big deal. Continuing my take on it in a thread, but read the blog from @xybytes here: xybytes.com/azure/Abusing-…

@fabian_bader @kfosaaen While I'm not sure how common this is in real-world environments, it's possible, especially considering that many system administrators may not be very familiar with Azure Arc. Therefore, the impact depends on the RBAC assigned to that SP.

@fabian_bader @kfosaaen This situation highlights a scenario where a system administrator might use a single SP for all tasks, including managing Azure and onboarding new machines.

@fabian_bader @kfosaaen Yes, that’s correct. If you only have the onboarding role, you can only add new machines to Azure Arc. With the Azure Connected Machine Resource Administrator role, you have full control.

Finally, I achieved my first Microsoft CVE! (And maybe the last one. 🤣 ) msrc.microsoft.com/update-guide/v… This is also a zero-day for which I received a substantial four-figure bounty, the largest reward I've ever got. So, I was quite surprised #AzureCycleCloud #CVE

Praticamente è il motivo, oggi, su cui si fonda la "non cultura". Quanto mi manchi, quanto mi mancano le tue parole ♥️ #MichelaMurgia

I am excited to announce that I will be presenting a new attack technique in Azure Arc that I discovered, at BSides Leeds. In this talk, I will discuss a recent security flaw that enables bad actors within a corporate environment to gain control over a service principal account.

@intigriti underrated? HTTP request smuggling I think.

What's the most underrated vulnerability?

To all my fellow pen testing buddies out there, this meme is dedicated to the unlucky soul who started an engagement, only to face a server that took a 24-hour nap or developers who removed functionality from the web app to avoid being tested. It can be f…lnkd.in/er47BDZy