https://codyburkard.com/ Recent content on Rainy Days Security Blog Hugo -- gohugo.io en Fri, 22 Nov 2024 00:00:00 +0000 https://codyburkard.com/blog/abusingselfhostedintegrationruntimes/ Fri, 22 Nov 2024 00:00:00 +0000 https://codyburkard.com/blog/abusingselfhostedintegrationruntimes/ Introduction In this post, we will dive into Self-Hosted Integration Runtimes, and how to extract secrets from them without ever touching disk. Integration Runtimes are the compute behind Data Factory. They mostly act as data movers and data transformers, and tend to have a significant amount of access to systems around them. This means they tend to contain a lot of secrets: API keys, Service Principal Client Secrets, Access Tokens for various PaaS offerings, Usernames and Passwords, and even Managed Identities. https://codyburkard.com/blog/apimabuse/ Thu, 21 Nov 2024 00:00:00 +0000 https://codyburkard.com/blog/apimabuse/ Introduction In this short post, we will take a look at a simple way to maintain persistence and abuse Azure API Management after gaining an initial foothold to the environment. Often it is unclear what you can do with Azure Resources once you have administrative access to them. Azure API Management is one such resource - it offers plenty of avenues for abuse, but you need to understand how it is used and how it is configured in order to abuse it. https://codyburkard.com/blog/bastionabuse/ Sat, 12 Nov 2022 12:00:00 +0000 https://codyburkard.com/blog/bastionabuse/ Introduction Native client support is a fairly new feature in Azure Bastion, which allows users to use native SSH and RDP programs to connect to Bastion instead of using the Azure Bastion web interface. In this article, we explore how Azure Bastion Native Client support works, and how an adversary could abuse this feature to perform attacks against Azure VMs over private IP addresses, without having direct network connectivity to the VM. https://codyburkard.com/blog/jitprivilegeescalation/ Mon, 20 Jun 2022 01:11:04 +0200 https://codyburkard.com/blog/jitprivilegeescalation/ Summary Microsoft Privileged Identity Management (PIM) provides features for limiting standing permissions in a tenant by allowing Just In Time (JIT) administrative role assignments to users. A patient attacker that has compromised a low privileged user with PIM eligibility may bypass any PIM configuration to eventually assume the elevated permissions of that user. This article contains explains how to easily bypass PIM in a these scenarios, how the Microsoft Identity Platform implements PIM, and my personal defense as to why this is a security issue. https://codyburkard.com/about/ Sat, 21 May 2022 00:00:00 +0000 https://codyburkard.com/about/ Hi! thanks for visiting my blog! My name is Cody Burkard. I am an American penetration tester and cyber security researcher living in Norway. I have been working professionally as a penetration tester, application security specialist, and Microsoft Azure offensive security specialist for over five years. Within this time I have also played various roles on the architectural side, primarily working with secure cloud native application and enterprise architectures that utilize Azure PaaS offerings. https://codyburkard.com/blog/abusingdynamicgroups/ Thu, 09 Jul 2020 12:00:00 +0000 https://codyburkard.com/blog/abusingdynamicgroups/ Introduction As organizations continue to migrate parts or all of their infrastructure to the cloud, security personnel need to adapt and understand the threats related to this cloud transition. At first glance, this doesn’t appear all too complicated, and security teams can take similar approaches to networking security as they have in traditional on-premise networks: VPNs for connectivity, network segmentation, network security appliances, agents, hardened virtual machines, etc. While these are all valid security measures for cloud infrastructure, they don’t address security concerns related to the management of infrastructure and users in the cloud.