Azure Cloud Security Pentesting Skills
Azure Cloud Security Pentesting Skills
Azure Cloud Security Pentesting Skills
A good interview with Karl Fosaaen of NetSPI about pentesting Azure. I recommend his book and his blog.
- Start with config review - find the cloud footprint.
- Find vulnerabilities, misconfiguration. Then pentest to demonstrate.
- See what managed identity there are, what roles they have, what resources they can access. Formulate the path - compromise one, pivot to another resource that has other privileges.
- Public storage accounts are an easy place to start - there’s API’s to pull it and scrape it.
- If you have read access to resource group then you can also see all the deployment - these may contain secrets, eg if you forgot to mark something as a secure string.
- System assigned managed identity - assigned by Azure to a specific resource.
- User-assigned managed identities - assigned by user to multiple resources. Can be shared - potential for sharing too widely.
- If you’ve got contributor access to assign managed identities then you can assign it to resources you own and give them permissions.
- Tools on NetSPI site - eg MicroBurst for Azure discovery.
- Mitre cloud att&ck framework - broad.
- Azure specific - Azure Threat Research Matrix.
This also reminded me of Varonis - see who can and does access resources - remove unnecessary access. Enterprise only - no pricing page - schedule a demo.
PS: I bought the book and started reading it. It’s kinda like a pentester’s handbook.
This post is licensed under
CC BY 4.0
by the author.