Azure Cloud Security Pentesting Skills

Azure Cloud Security Pentesting Skills

A good interview with Karl Fosaaen of NetSPI about pentesting Azure. I recommend his book and his blog.

  • Start with config review - find the cloud footprint.
  • Find vulnerabilities, misconfiguration. Then pentest to demonstrate.
  • See what managed identity there are, what roles they have, what resources they can access. Formulate the path - compromise one, pivot to another resource that has other privileges.
  • Public storage accounts are an easy place to start - there’s API’s to pull it and scrape it.
  • If you have read access to resource group then you can also see all the deployment - these may contain secrets, eg if you forgot to mark something as a secure string.
  • System assigned managed identity - assigned by Azure to a specific resource.
  • User-assigned managed identities - assigned by user to multiple resources. Can be shared - potential for sharing too widely.
  • If you’ve got contributor access to assign managed identities then you can assign it to resources you own and give them permissions.
  • Tools on NetSPI site - eg MicroBurst for Azure discovery.
  • Mitre cloud att&ck framework - broad.
  • Azure specific - Azure Threat Research Matrix.

This also reminded me of Varonis - see who can and does access resources - remove unnecessary access. Enterprise only - no pricing page - schedule a demo.

PS: I bought the book and started reading it. It’s kinda like a pentester’s handbook.

This post is licensed under CC BY 4.0 by the author.