As a follow up on this thread, we have a new NetSPI blog out today that explains how we were able to get the App Registration certificates for Managed Identities that were attached to Linux Function App containers. netspi.com/blog/technical…

This is quite frustrating. When viewing managed identity sign in logs via portal, the time stamp differs from Log Analytics. Por que? This fucks with some detection logic I have :(. I know one is in UTC time, but specifically the minute & seconds shouldn't be different.

While working at Microsoft, it was somewhat frowned upon to call the baby (Azure logs) ugly. But now I get to call it like it is, so I wrote about trying to make the most out of basically nothing trustoncloud.com/an-attempt-at-…

Philip Tsukerman Dr. Nestori Syynimaa Dirk-jan I recommend: Karl - netspi.com/author/karl-fo… inversecos - inversecos.com Marius Solbakken - goodworkaround.com Ryan - hausec.com Abou Conde, MVP - abouconde.com Michael Niehaus - oofhours.com

$105k a year to relocate to Riyadh? Are these recruiters insane?

Pretty wild time gap for logs to actually show up.

Very happy to see Shiva P from Microsoft DART blogging about this topic on how to hunt in Graph API logs. Shiva P will also present this topic at OrangeCon so make sure to check it out! He's a great guy and I'm happy for him! techcommunity.microsoft.com/t5/microsoft-s…

Test-driven development—not just for software engineering. Matt Hand breaks down how applying this logic streamlines how you execute, evaluate, and iterate on your detections to better augment your defensive coverage hubs.la/Q02W9xs80

Linux sucks as a desktop.

New NetSPI blog out today on "Hijacking Azure Machine Learning Notebooks (via Storage Accounts)". This is very similar to Storage Account attacks that have been done against Function/Logic Apps and Cloud Shell - netspi.com/blog/technical…

Good try mate

Token abuse is finally more easily detectable.

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates. Also includes ESC1 over Intune (in some cases). dirkjanm.io/extending-ad-c… Oh, and a new tool for SCEP: github.com/dirkjanm/scepr…

Announcing our whitepaper on the future of endpoint security. preludesecurity.com/runtime-memory…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

I merged a PR from Scoubi that now includes compatibility with BHCE. Thanks Scoubi ! github.com/hausec/Bloodho…