Azure Cloud Security Pentesting Skills

Azure Cloud Security Pentesting Skills

A good interview with Karl Fosaaen of NetSPI about pentesting Azure. I recommend his book and his blog.

• Start with config review - find the cloud footprint.
• Find vulnerabilities, misconfiguration. Then pentest to demonstrate.
• See what managed identity there are, what roles they have, what resources they can access. Formulate the path - compromise one, pivot to another resource that has other privileges.
• Public storage accounts are an easy place to start - there’s API’s to pull it and scrape it.
• If you have read access to resource group then you can also see all the deployment - these may contain secrets, eg if you forgot to mark something as a secure string.
• System assigned managed identity - assigned by Azure to a specific resource.
• User-assigned managed identities - assigned by user to multiple resources. Can be shared - potential for sharing too widely.
• If you’ve got contributor access to assign managed identities then you can assign it to resources you own and give them permissions.
• Tools on NetSPI site - eg MicroBurst for Azure discovery.
• Mitre cloud att&ck framework - broad.
• Azure specific - Azure Threat Research Matrix.

This also reminded me of Varonis - see who can and does access resources - remove unnecessary access. Enterprise only - no pricing page - schedule a demo.

PS: I bought the book and started reading it. It’s kinda like a pentester’s handbook.